- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- about syslog
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2002 11:05 PM
04-11-2002 11:05 PM
about syslog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2002 11:30 PM
04-11-2002 11:30 PM
Re: about syslog
You can use swatch for this purpose of parsing the syslog file for alerting.
http://www.oit.ucsb.edu/~eta/swatch/
The description is available at:
http://www.oit.ucsb.edu/~eta/swatch/README
Hope this helps. Regards.
Steven Sim Kok Leong
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2002 11:31 PM
04-11-2002 11:31 PM
Re: about syslog
First of all, you can decide what comes in the syslog, see man syslog for details and /etc/syslog.conf.
I don't have a script available but am sure someone else will.
HtH, Emiel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2002 11:34 PM
04-11-2002 11:34 PM
Re: about syslog
http://www.samag.com/documents/s=1146/sam0109m/0109m_l1.htm
#!/usr/bin/awk -f
#
# looks for basic syslog items: failed logins, block connects (via tcpd)
# and bad su's (confirmed in sulog)
#
# copyright(c) 2001 jose nazario
#
BEGIN {
print "\n\tChecking the syslog"
print "\t-------------------"
failed=0
blocked=0
badsu=0
notmine=0
shellcode=0
binsh=0
}
{
if ($5 ~ /login*/) {
# useful for IRIX
if ($6 ~ /failed*/) {
print "failed login: "$9"\tat "$1" "$2" "$3" from\t"$7
failed=failed+1
}
# useful for Linux
if ($0 ~ /LOGIN.FAILURE/) {
print "failed login: "$11"\tat "$1" "$2" "$3" from\t"$10
failed=failed+1
}
# also useful for Linux
if ($0 ~ /FAILED.LOGIN/) {
print "failed login: "$10"\tat "$1" "$2" "$3" from\t"$12
failed=failed+1
}
} # end if $5 == login...
#looking for failed sshd1 logins, openssh2 format
if ($5~ /sshd*/) {
if ($6 == "Failed"){
print "failed login: "$9"\tat "$1" "$2" "$3" from\t"$11
failed=failed+1
}
}
# tcp wrappers check
if ($6 ~ /refused/) {
source=$9
printf("blocked %-32s\tto "$5" at\t"$1" "$2" "$3"\n", source)
blocked=blocked+1
}
# syslog su checking (backed up in sulog on IRIX, Solaris)
# IRIX, Solaris, Linux
if (($5 ~ /su\[*/) && ($6 ~ /failed*/)) {
badsu=badsu+1
printf("failed su from "$10" to "$12" at \t"$1" "$2" "$3"\n")
}
# Linux using PAM (ie RedHat)
if (($12 ~ /su/) && ($7 ~ /failure*/)) {
badsu=badsu+1
print "failed su from "$8" to "$10" at \t"$1" "$2" "$3
}
# HPUX 10.20
if (($6 == "su") && ($7 == "-")) {
badsu=badsu+1
print "failed su: "$9" at \t"$1" "$2" "$3
}
# looking for not local syslog messages
if ($4 != "$HOSTNAME") {
notmine=notmine+1
print "nonlocal syslog entry:"
print $0
}
# looking for possible exloit signatures
# \x90 is x86 only!
if ($0 ~ /\x90/) {
shellcode=shellcode+1
print "----------------- Possible buffer overflow at line "NR
print "time: "$1" "$2" "$3" process was "$5
}
if ($0 ~ /bin.sh/) {
binsh=binsh+1
print "------------- Possible call to /bin/sh at line "NR
print "time: "$1" "$2" "$3" process was "$5
}
}
END {
print "\t----------------------------------------"
printf("\trecords processed:\t%15d\n", NR)
printf("\tnumber of failed logins:%15d\n", failed)
printf("\tblocked connections:\t%15d\n", blocked)
printf("\tnumber of failed su's:\t%15d\n", badsu)
printf("\tlines not from localhost:%15d\n", notmine)
printf("\tpossible shellcode found:%15d\n", shellcode)
printf("\tpossible /bin/sh calls:%15d\n\n", binsh)
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2002 11:34 PM
04-11-2002 11:34 PM
Re: about syslog
you could simply use the grep- command to find keywords in your syslog- file:
grep -i keyword /var/adm/syslog/syslog.log
the -i option ignores case sensitivity. You could make a cron job which is run at desired times, which would send you a mail to roots mail account.
Allways stay on the bright side of life!
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2002 12:14 AM
04-12-2002 12:14 AM
Re: about syslog
my syslog.conf is :mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2002 12:16 AM
04-12-2002 12:16 AM
Re: about syslog
First let the system run for a while and see what kind of error come often, then make sure you recieve aknowledgement when something happens. You can always grep for [error] ofcourse and warning etcetera.
GL, E.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2002 12:53 AM
04-12-2002 12:53 AM
Re: about syslog
It is a very common thing put a crontab :
00,10,20,30,40,50 * * * * /usr/sbin/dmesg - > /var/adm/messages
With it, you can make a script that check the content of tho output file " messages ", looking for keywords or errors.
I hope this help.
Juanma.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2002 01:08 AM
04-12-2002 01:08 AM
Re: about syslog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2002 01:15 AM
04-12-2002 01:15 AM
Re: about syslog
Please, do not forget to give us points.
Thanks.
Juanma.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2002 01:17 AM
04-12-2002 01:17 AM
Re: about syslog
I think iambluegary is in the process of installing swatch, like Steven Sim Kok Leong recommended.
Regards,
Mateja
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2002 01:23 AM
04-12-2002 01:23 AM
Re: about syslog
You might as well think about using HP-ITO or a program lik Big Brother
http://bb4.com/
C.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2002 01:24 AM
04-12-2002 01:24 AM
Re: about syslog
grtz, E.