topic Re: about syslog in Operating System - HP-UX

about syslog

iambluegary — Fri, 12 Apr 2002 06:05:12 GMT

i wanna know which messages in syslog.log that i should care,is there some shell script could check syslog automatic?

Re: about syslog

Steven Sim Kok Leong — Fri, 12 Apr 2002 06:30:15 GMT

Hi,

You can use swatch for this purpose of parsing the syslog file for alerting.

http://www.oit.ucsb.edu/~eta/swatch/

The description is available at:

http://www.oit.ucsb.edu/~eta/swatch/README

Hope this helps. Regards.

Steven Sim Kok Leong

Re: about syslog

Emiel van Grinsven — Fri, 12 Apr 2002 06:31:27 GMT

Hi,

First of all, you can decide what comes in the syslog, see man syslog for details and /etc/syslog.conf.
I don't have a script available but am sure someone else will.

HtH, Emiel

Re: about syslog

Ceesjan van Hattum — Fri, 12 Apr 2002 06:34:07 GMT

Found at
http://www.samag.com/documents/s=1146/sam0109m/0109m_l1.htm

#!/usr/bin/awk -f
#
# looks for basic syslog items: failed logins, block connects (via tcpd)
# and bad su's (confirmed in sulog)
#
# copyright(c) 2001 jose nazario
#
BEGIN {
print "\n\tChecking the syslog"
print "\t-------------------"
failed=0
blocked=0
badsu=0
notmine=0
shellcode=0
binsh=0
}

{
if ($5 ~ /login*/) {
# useful for IRIX
if ($6 ~ /failed*/) {
print "failed login: "$9"\tat "$1" "$2" "$3" from\t"$7
failed=failed+1
}
# useful for Linux
if ($0 ~ /LOGIN.FAILURE/) {
print "failed login: "$11"\tat "$1" "$2" "$3" from\t"$10
failed=failed+1
}
# also useful for Linux
if ($0 ~ /FAILED.LOGIN/) {
print "failed login: "$10"\tat "$1" "$2" "$3" from\t"$12
failed=failed+1
}
} # end if $5 == login...

#looking for failed sshd1 logins, openssh2 format
if ($5~ /sshd*/) {
if ($6 == "Failed"){
print "failed login: "$9"\tat "$1" "$2" "$3" from\t"$11
failed=failed+1
}
}

# tcp wrappers check
if ($6 ~ /refused/) {
source=$9
printf("blocked %-32s\tto "$5" at\t"$1" "$2" "$3"\n", source)
blocked=blocked+1
}

# syslog su checking (backed up in sulog on IRIX, Solaris)
# IRIX, Solaris, Linux
if (($5 ~ /su\[*/) && ($6 ~ /failed*/)) {
badsu=badsu+1
printf("failed su from "$10" to "$12" at \t"$1" "$2" "$3"\n")
}
# Linux using PAM (ie RedHat)
if (($12 ~ /su/) && ($7 ~ /failure*/)) {
badsu=badsu+1
print "failed su from "$8" to "$10" at \t"$1" "$2" "$3
}
# HPUX 10.20
if (($6 == "su") && ($7 == "-")) {
badsu=badsu+1
print "failed su: "$9" at \t"$1" "$2" "$3
}

# looking for not local syslog messages
if ($4 != "$HOSTNAME") {
notmine=notmine+1
print "nonlocal syslog entry:"
print $0
}

# looking for possible exloit signatures

# \x90 is x86 only!
if ($0 ~ /\x90/) {
shellcode=shellcode+1
print "----------------- Possible buffer overflow at line "NR
print "time: "$1" "$2" "$3" process was "$5
}
if ($0 ~ /bin.sh/) {
binsh=binsh+1
print "------------- Possible call to /bin/sh at line "NR
print "time: "$1" "$2" "$3" process was "$5
}
}

END {
print "\t----------------------------------------"
printf("\trecords processed:\t%15d\n", NR)
printf("\tnumber of failed logins:%15d\n", failed)
printf("\tblocked connections:\t%15d\n", blocked)
printf("\tnumber of failed su's:\t%15d\n", badsu)
printf("\tlines not from localhost:%15d\n", notmine)
printf("\tpossible shellcode found:%15d\n", shellcode)
printf("\tpossible /bin/sh calls:%15d\n\n", binsh)
}

Re: about syslog

Peter Kloetgen — Fri, 12 Apr 2002 06:34:28 GMT

Hi Bluegary,

you could simply use the grep- command to find keywords in your syslog- file:

grep -i keyword /var/adm/syslog/syslog.log

the -i option ignores case sensitivity. You could make a cron job which is run at desired times, which would send you a mail to roots mail account.

Allways stay on the bright side of life!

Peter

Re: about syslog

iambluegary — Fri, 12 Apr 2002 07:14:07 GMT

i know about grep,i just wanna to know which kind of message i should take care of.
my syslog.conf is :mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *

Re: about syslog

Emiel van Grinsven — Fri, 12 Apr 2002 07:16:50 GMT

hi,

First let the system run for a while and see what kind of error come often, then make sure you recieve aknowledgement when something happens. You can always grep for [error] ofcourse and warning etcetera.

GL, E.

Re: about syslog

Juan Manuel López — Fri, 12 Apr 2002 07:53:26 GMT

Hi,
It is a very common thing put a crontab :

00,10,20,30,40,50 * * * * /usr/sbin/dmesg - > /var/adm/messages

With it, you can make a script that check the content of tho output file " messages ", looking for keywords or errors.

I hope this help.

Juanma.

Re: about syslog

Emiel van Grinsven — Fri, 12 Apr 2002 08:08:15 GMT

Are you not happy with the answers?

Re: about syslog

Juan Manuel López — Fri, 12 Apr 2002 08:15:23 GMT

As my pal said, Are you not happy with the answers ?
Please, do not forget to give us points.

Thanks.

Juanma.

Re: about syslog

Mateja Bezjak — Fri, 12 Apr 2002 08:17:09 GMT

Hi,

I think iambluegary is in the process of installing swatch, like Steven Sim Kok Leong recommended.

Regards,
Mateja

Re: about syslog

Clemens van Everdingen — Fri, 12 Apr 2002 08:23:14 GMT

Hi,

You might as well think about using HP-ITO or a program lik Big Brother

http://bb4.com/

C.

Re: about syslog

Emiel van Grinsven — Fri, 12 Apr 2002 08:24:09 GMT

You're probably right, it was meant mostly funny :-)

grtz, E.