Log configuration, reports, etc. Note that as of version 5.0, Debian uses rsyslogd.
Turn off console messages for lower priority messages.
sudo sed -i -e 's/kernel.printk.*$/kernel.printk = 4 4 1 7/' /etc/sysctl.conf
Edit /etc/logrotate.conf
to change the rotate
option for /var/log/wtmp
from 1
to 49
, and /var/log/btmp
from 1
to 13
.
We installed logcheck
to monitor our log files, and report on any anomalous entries. The reports are emailed to root.
sudo apt-get install logcheck logcheck-database logtail
Processing runs from cron.d/logcheck
, normally 2 minutes after the top of every hour. We've reduced that to every 4 hours instead of every hour:
sudo sed -e 's|^2 \*|2 */4|' -i /etc/cron.d/logcheck
The default filters are pretty good. They alert on critical events and ignore most "normal" events. However, we've added some filters to ignore a few more entry types:
sudo sh -c 'cat > /etc/logcheck/ignore.d.server/ntp-local' <<'EOF' ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change [0-9]+$ EOF sudo sh -c 'cat > /etc/logcheck/ignore.d.server/shorewall-local' <<'EOF' ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Shorewall:net2fw:DROP:.*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Shorewall:logflags:DROP:.*$ EOF sudo sh -c 'cat > /etc/logcheck/ignore.d.server/fcheck-local' <<'EOF' ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ fcheck: .INFO: Rebuild of the fcheck database.*$ EOF sudo sh -c 'cat > /etc/logcheck/ignore.d.server/sudo-local' <<'EOF' ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: .* : \(command continued\) .*$ EOF sudo sh -c 'cat > /etc/logcheck/ignore.d.server/ssh-local' <<'EOF' ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because none of user's groups are listed in AllowGroups$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because a group is listed in DenyGroups$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Timeout, client not responding\.$ EOF sudo sh -c 'cat > /etc/logcheck/ignore.d.server/syslog-local' <<'EOF' ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog 3\.18\.6, log source = /proc/kmsg started\.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="3\.18\.6" x-pid="[[:alnum:]]+" x-info="http://www.rsyslog.com"\] restart$ EOF sudo sh -c 'cat > /etc/logcheck/ignore.d.server/bind-local' <<'EOF' ^\w{3} [ :0-9]{11} [-._[:alnum:]]+ named\[[0-9]+\]: client [.:[:xdigit:]]+#[[:digit:]]+: query \(cache\) '.*' denied$ ^\w{3} [ :0-9]{11} [-._[:alnum:]]+ named\[[0-9]+\]: client [.:[:xdigit:]]+#[[:digit:]]+: bad zone transfer request: '.*': non-authoritative zone \(NOTAUTH\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: network unreachable resolving.*$ EOF
It'd be better to run this as a post-processing hook on logrotate
. But logrotate
doesn't get run on /var/log/syslog
or /var/log/auth.log
; they're rotated with savelog
(from /etc/cron.daily/sysklogd
) instead of logrotate
.
We should probably be monitoring some other log files, in addition to syslog
and auth.log
.
See if logwatch or some other tool might be a better alternative.
We probably miss any log entries that are added between log rotation and the next run of logcheck
.
All of the above local ignore filters should probably be suggested as defaults in the Debian or upstream packages.
Check for rootkits regularly, with Root Kit Hunter or ckrootkit