logging questions for security purposes.
Hi all.
As I had stated on my short bio. I feel that I was caught with my pants down.This has motivated me to diligently seek to better secure my system.
Now I am trying to "harden" my system. First by changing my logging setup.
From what I understand the logrotate.conf determines how long to keep the logs and what to do with the /var/log/.... It seems that my /var/log/messages does not reflect the settings in the logrotate.conf. My /var/log/messages file is HUGE with six months of logging. Ive read the man pages on logrotate but a few things are not clear.
Here is a copy of my /etc/logrotate.conf
1. Why if I am only to keep four weeks of backlogs, why does my /var/log/messages contain about six months of messages.# /etc/logrotate.conf
#
# logrotate is designed to ease administration of systems that generate large
# numbers of log files. It allows automatic rotation, compression, removal, and
# mailing of log files. Each log file may be handled daily, weekly, monthly, or
# when it grows too large.
#
# logrotate is normally run daily from root's crontab.
#
# For more details, see "man logrotate".
# rotate log files weekly:
weekly
# keep 4 weeks worth of backlogs:
rotate 4
# create new (empty) log files after rotating old ones:
create
# uncomment this if you want your log files compressed:
#compress
# some packages install log rotation information in this directory:
include /etc/logrotate.d
# Rotate /var/log/wtmp:
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
# Rotate /var/log/btmp:
/var/log/btmp {
monthly
create 0600 root root
rotate 1
}
# Note that /var/log/lastlog is not rotated. This is intentional, and it should
# not be. The lastlog file is a database, and is also a sparse file that takes
# up much less space on the drive than it appears.
2. What does logrotate actually do? If set in the compress mode (mine does not appear to be so), is each log compressed to a gz each week? Then after four weeks everything is deleted? In other words what does it mean to rotate?
3. FYI, I looked up the logrotate.d file and it is empty. So there are no parameters set there.
4. What are the btmp and utmp files for?
5. According to my settings in my logrotate.conf, how are my logs deleted. In four week cycles? OR Is the fourth week deleted each week?
6. How do I setup to receive emails? Don't I first need to setup an email client or something similar prior to setting up logrotate.conf?
This is what a would like to do, but not sure about syntax:
Since I have only 30 gb available for slackware on a 60 gb hdd, I have limited room. I figure I only need two months of logging rotated on a weekly basis. In other words, there would be 8 weekly rotations for each log. Each log after eight weeks will be deleted. I wanted to get an email to me@gmail.com of all my logs prior to deletion. I also figure I don't need a mail log or news log. I assume they are for emails and rss feeds. I have gmail and all of my emails are archived. So that is not necessary.
Following the example in the man logrotate page, this is what I came up with:
Not I am not sure why the syslogd process is killed in the example.Code:# sample /var/log/messages { rotate 8 weekly compress mail me@gmail.com postrotate /sbin/killall -HUP syslogd endscript }
I am not sure what happens to the logs after 8 weeks.
As stated above, I am trying to do the following:
1) Save compressed weekly logs for eight weeks.
2)Email me eight weeks of logs.
3)Delete the eighth log on a weekly basis.
Reply With Quote