logging questions for security purposes.
Results 1 to 3 of 3

Thread: logging questions for security purposes.

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    6

    Question logging questions for security purposes.

    Hi all.
    As I had stated on my short bio. I feel that I was caught with my pants down. This has motivated me to diligently seek to better secure my system.

    Now I am trying to "harden" my system. First by changing my logging setup.

    From what I understand the logrotate.conf determines how long to keep the logs and what to do with the /var/log/.... It seems that my /var/log/messages does not reflect the settings in the logrotate.conf. My /var/log/messages file is HUGE with six months of logging. Ive read the man pages on logrotate but a few things are not clear.
    Here is a copy of my /etc/logrotate.conf
    # /etc/logrotate.conf
    #
    # logrotate is designed to ease administration of systems that generate large
    # numbers of log files. It allows automatic rotation, compression, removal, and
    # mailing of log files. Each log file may be handled daily, weekly, monthly, or
    # when it grows too large.
    #
    # logrotate is normally run daily from root's crontab.
    #
    # For more details, see "man logrotate".

    # rotate log files weekly:
    weekly

    # keep 4 weeks worth of backlogs:
    rotate 4


    # create new (empty) log files after rotating old ones:
    create

    # uncomment this if you want your log files compressed:
    #compress

    # some packages install log rotation information in this directory:
    include /etc/logrotate.d

    # Rotate /var/log/wtmp:
    /var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
    }

    # Rotate /var/log/btmp:
    /var/log/btmp {
    monthly
    create 0600 root root
    rotate 1
    }

    # Note that /var/log/lastlog is not rotated. This is intentional, and it should
    # not be. The lastlog file is a database, and is also a sparse file that takes
    # up much less space on the drive than it appears.
    1. Why if I am only to keep four weeks of backlogs, why does my /var/log/messages contain about six months of messages.

    2. What does logrotate actually do? If set in the compress mode (mine does not appear to be so), is each log compressed to a gz each week? Then after four weeks everything is deleted? In other words what does it mean to rotate?

    3. FYI, I looked up the logrotate.d file and it is empty. So there are no parameters set there.

    4. What are the btmp and utmp files for?

    5. According to my settings in my logrotate.conf, how are my logs deleted. In four week cycles? OR Is the fourth week deleted each week?

    6. How do I setup to receive emails? Don't I first need to setup an email client or something similar prior to setting up logrotate.conf?


    This is what a would like to do, but not sure about syntax:

    Since I have only 30 gb available for slackware on a 60 gb hdd, I have limited room. I figure I only need two months of logging rotated on a weekly basis. In other words, there would be 8 weekly rotations for each log. Each log after eight weeks will be deleted. I wanted to get an email to me@gmail.com of all my logs prior to deletion. I also figure I don't need a mail log or news log. I assume they are for emails and rss feeds. I have gmail and all of my emails are archived. So that is not necessary.

    Following the example in the man logrotate page, this is what I came up with:
    Code:
    # sample 
    
           /var/log/messages {
               rotate 8
               weekly
    compress
    mail me@gmail.com
    
               postrotate
                   /sbin/killall -HUP syslogd
               endscript
           }
    Not I am not sure why the syslogd process is killed in the example.
    I am not sure what happens to the logs after 8 weeks.
    As stated above, I am trying to do the following:
    1) Save compressed weekly logs for eight weeks.
    2)Email me eight weeks of logs.
    3)Delete the eighth log on a weekly basis.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    http://www.linuxquestions.org/questi...ogfile-616792/

    NB Try not to use killall. If you're ever on Solaris and issue a killall, you'll really kill ALL processes.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Mar 2008
    Posts
    6

    Thumbs up

    Thanks for the advice.

Similar Threads

  1. Asking smart questions
    By pwaring in forum Other Tutorials Forum
    Replies: 60
    Last Post: October 22nd, 2004, 09:15 PM
  2. Read Me First
    By Negative in forum The Security Tutorials Forum
    Replies: 12
    Last Post: June 2nd, 2004, 01:09 AM
  3. about mozilla
    By moonstar550 in forum AntiOnline's General Chit Chat
    Replies: 10
    Last Post: April 10th, 2004, 02:03 AM
  4. Central Secure Logging in a Win2k Environment
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 5
    Last Post: March 4th, 2004, 04:00 PM
  5. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 07:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides