UNIX System Administration Handbook - Evi Nemeth [139]
The closelog routine closes the logging channel:
closelog( );
You must call this routine if you want to reopen the logging channel with different options. It’s also good form to call closelog when your program exits.
Here’s a complete example:
use Sys::Syslog;
openlog("adminscript", "cons,pid", "user");
syslog("warning","Those whom the gods would destroy, they first teach Basic.");
closelog();
This scriptlet produces the log entry:
Dec 28 22:56:24 moet.colorado.edu adminscript[191]: Those whom the gods
would destroy, they first teach Basic.
11.6 CONDENSING LOG FILES TO USEFUL INFORMATION
Syslog is great for sorting and routing log messages, but when all is said and done, its end product is still a bunch of log files. While they may contain all kinds of useful information, those files aren’t going to come and find you when something goes wrong. Another layer of software is needed to analyze the logs and make sure that important messages don’t get lost amid the chatter.
A variety of free tools are available to fill this niche, and most of them are pretty similar: they scan recent log entries, match them against a database of regular expressions, and process the important messages in some attention-getting way. Some tools mail you a report; others can be configured to make noise, print log entries in different colors, or page you. Tools differ primarily in their degree of flexibility and in the size of their off-the-shelf database of patterns.
Two of the more commonly used log postprocessors are Todd Atkins’ swatch and Craig Rowland’s logcheck. swatch is available from
ftp://ftp.stanford.edu/general/security-tools/swatch/
and logcheck from
http://www.psionic.com/abacus/logcheck/
swatch is a Perl script that gets its marching orders from a configuration file. The configuration syntax is fairly flexible, and it also provides access to the full pattern-matching mojo of Perl. While swatch can process an entire file in a single bound, it’s primarily intended to be left running so that it can review new messages as they arrive, a la tail -f. A disadvantage of swatch is that you must build your own configuration pretty much from scratch; it doesn’t know about specific systems and the actual log messages they might generate.
logcheck is a more basic script written in sh; the distribution also includes a C program that logcheck uses to help it record its place within a log file. Since logcheck knows how far it has read in a log file, there is perhaps less chance of a message slipping by at startup or shutdown time; in addition, logcheck can run at intervals from cron rather than running continuously.
logcheck comes with sample databases for several different versions of UNIX. Even if you don’t want to use the actual script, it’s worth looking over the patterns to see if there are any you might want to steal for your own use.
Both of these tools have the disadvantage of working on only a single log file at a time. If your syslog configuration sorts messages into many different files, you might want to duplicate some of the messages into a central file that is frequently truncated, then use that summary file to feed a postprocessing script. That’s easier than setting up a complicated network of scripts to handle multiple files.
No matter what system you use to scan log files, there are a couple of things you should be sure to look for and immediately bring to the attention of an administrator:
• Most security-related messages should receive a prompt review. It’s often helpful to monitor failed login, su, and sudo attempts in order to catch potential break-ins before they happen. If someone has just forgotten his password (as is usually the case), a prompt and proactive offer of help will make a good impression