Linux LOG files!
Today i was setting up iptables and keeping the logs file to separate files so that i can find the all alert,info easily. But writing a blog post quickly comes in my mind, in case, any newbie want to have some basic idea about Linux logs(Trying to catch hacker? Not easy! hehe). I am doing it on my Debian system( Later i will edit when i will do the same thing on other distro :)).
System logs are really important for storing System security, Security auditing, Debugging and other information in an specific files. These can be used for various security task , logging fake/real hackers, system issue etc. Where the log files will be saved and what type of logs will be generated are specified in "/etc/rsyslog.conf" (Debian/Ubuntu). Here is my current configuration file :
# /etc/rsyslog.conf Configuration file for rsyslog.##striped
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
kern.warning /var/log/iptables.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
We need configure all about the logs in this file. Usually Linux/Unix store the logs in directory "/var/log/" if it is not customized. In "/var/log" we can find all log files:
http://pastebin.com/d0LfNFfg
Let me explain few of them:
apt == Package installation and removing logs.
auth.log == Authorization related logs.
debug == Debugging Logs.
dmesg == Dump of kernel message buffer
exim4 == exim4 mail server logs.
faillog == Fail login attempts.
kern.log == kernel level log
lastlog == Last loging information.
messages == Main log file.
mail.* == Mail related info,alert,warning
mysql == mysql log
pure-ftpd == FTP logs.
syslog == main log file.
wtmp == Login Records.
Well, For customization the logs we need need to know few things which should be indicated in rsyslog.conf file:
1. Facility (What?) 2. Level (info,warning,alert etc)
Facility are:
auth == Security & Authorization.
authpriv == Private Authorization message.
cron == Cron Daemon.
user == user process.
mail == Mail related message.
ftp == FTP related .
kern == Kernel related messages.
lpr == Printer logs
etc.
Level are(Depends how much you want to know):
alert == Urgent.
crit == Critical messages.
warning == Warning messages.
notice == Suggest to verify!
info == Informational Messages.
debugg== Debugging Purpose.
From the configuration file it is understandable that how the Facility and Level should be indicated. For example:
mail.info -/var/log/mail.info
Here "mail" is the Facility "info" is the level and
"/var/log/mail.info" is telling where to save.
Now i am going to show some example:
Let's how the SSH logs look like, SSH logs usually saved in "/var/log/auth.log":
root@logtest:/var/log# cat auth.log
root@logtest:/var/log#
Blank!
So i first try fail login attemp:
science@BAD-LUCK:~$ ssh root@192.168.78.130
root@192.168.78.130's password:
Permission denied, please try again.
root@192.168.78.130's password:
Now let's see what is in auth.log:
root@logtest:/var/log# cat auth.logl
Feb 27 10:59:44 scientific sshd[4285]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=hacker.local user=root
Feb 27 10:59:46 scientific sshd[4285]: Failed password for root from 192.168.78.1 port 60904 ssh2
Feb 27 11:00:01 scientific CRON[4287]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 27 11:00:17 scientific CRON[4287]: pam_unix(cron:session): session closed for user root
It is clearly saying that "hacker"(computer name) tried to log with user root on port 22(ssh). In next line it is also saying the failed attempt was from192.168.78.1 .
I Again attempt to login to FTP server (ftp 192.168.78.1) . Then i saw the Authentication fail attempt also saved in auth.log:
Feb 27 11:23:08 scientific pure-ftpd: pam_unix(pure-ftpd:auth): check pass; user unknown
Feb 27 11:23:08 scientific pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=aaaaaaaaaaaaa rhost=hacker.local
The logs can be saved in other place too if we indicate in rsyslog.conf . For example i have made my own log file to save iptables logs.
kern.warning "/var/log/iptables.log" #iptables communicate with kernel
If someone brute force any of the service such as ssh, ftp etc then all the fail attempt will be saved to auth.log(Be careful if you are trying to hack!:) always clean the logs file).
More:
http://en.wikipedia.org/wiki/Syslog
http://www.rsyslog.com/doc/manual.html