LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-29-2005, 02:49 PM   #1
AnRkey
Member
 
Registered: Dec 2004
Location: UK
Distribution: Ubuntu, Fedora and not for long, M$ SuSE
Posts: 59

Rep: Reputation: 15
Question Emailing log files and system mail...


Hi all

I want to have my log files emailed to me. I was thinking about setting up a daily cron job to do this using sendmail.

Firstly though... what logs should I be checking everyday?
Secondly... I am having trouble getting a command worked out that would send a file, so could some1 give an example of how this is done? (I am losing hair from reading the man page to over and over)
Thirdly... How can I change the email address of who gets the system events and mail? ATM the root account gets them.

I am using SuSE 10.

Thanks for any help...

John
 
Old 10-29-2005, 03:25 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 3,990

Rep: Reputation: 261Reputation: 261Reputation: 261
Many distros will configure the logwatch package to mail logged events to the root administrator daily. It can be configured. You might look at installing it if you don't have it already. There's also software like swatch which can alert based on log entries.

You can configure this software to mail to different accounts, or you can alias root@yourbox to some other address either via a .forward or by adding an alias to /etc/mail/aliases.
 
Old 11-01-2005, 02:21 AM   #3
AnRkey
Member
 
Registered: Dec 2004
Location: UK
Distribution: Ubuntu, Fedora and not for long, M$ SuSE
Posts: 59

Original Poster
Rep: Reputation: 15
Which LOG files then?

Logwatch does not come with suse10 it seems... I found it online and installed it without fuss. Logwatch seems easy to use and now, which Log files should I be checking?

I just want to know if some dictionary attacks my box or hammers apache etc.

Another thing. Are there any nice GUI log analyzers that anyone would suggest?

Thanks in advance...

John
 
Old 11-01-2005, 02:36 AM   #4
AnRkey
Member
 
Registered: Dec 2004
Location: UK
Distribution: Ubuntu, Fedora and not for long, M$ SuSE
Posts: 59

Original Poster
Rep: Reputation: 15
What could this be?

What could this be? I found these lines in my /var/logs/warn file. There are thousands of them and these are the last few


Nov 1 08:24:20 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=24.3.211.118 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=5636 DF PROTO=TCP SPT=47050 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Nov 1 08:24:23 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=72.129.91.181 DST=83.146.42.229 LEN=86 TOS=0x00 PREC=0x00 TTL=115 ID=44548 PROTO=UDP SPT=6881 DPT=6881 LEN=66
Nov 1 08:24:23 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=24.3.211.118 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=5821 DF PROTO=TCP SPT=47050 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Nov 1 08:24:29 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=24.3.211.118 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=6193 DF PROTO=TCP SPT=47050 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Nov 1 08:24:32 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=67.51.21.227 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2616 DF PROTO=TCP SPT=60790 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Nov 1 08:24:35 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=67.51.21.227 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2959 DF PROTO=TCP SPT=60790 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)

Any help would be cool
 
Old 11-01-2005, 02:38 AM   #5
AnRkey
Member
 
Registered: Dec 2004
Location: UK
Distribution: Ubuntu, Fedora and not for long, M$ SuSE
Posts: 59

Original Poster
Rep: Reputation: 15
More

Nov 1 08:30:32 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=83.197.139.35 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=34118 PROTO=TCP SPT=53942 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204058601010402)
Nov 1 08:30:41 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=137.186.195.93 DST=83.146.42.229 LEN=65 TOS=0x00 PREC=0x00 TTL=53 ID=28447 PROTO=UDP SPT=6881 DPT=6881 LEN=45
Nov 1 08:31:00 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=12.144.213.73 DST=83.146.42.229 LEN=86 TOS=0x00 PREC=0x00 TTL=109 ID=436 PROTO=UDP SPT=6881 DPT=6881 LEN=66
Nov 1 08:31:20 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=69.159.234.132 DST=83.146.42.229 LEN=86 TOS=0x00 PREC=0x00 TTL=113 ID=6684 PROTO=UDP SPT=60071 DPT=6881 LEN=66
Nov 1 08:31:41 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=82.67.223.139 DST=83.146.42.229 LEN=86 TOS=0x00 PREC=0x00 TTL=52 ID=61718 PROTO=UDP SPT=6881 DPT=6881 LEN=66
Nov 1 08:31:50 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=24.235.184.234 DST=83.146.42.229 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=57522 DF PROTO=TCP SPT=3400 DPT=6881 WINDOW=58944 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Nov 1 08:31:53 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=24.235.184.234 DST=83.146.42.229 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=57562 DF PROTO=TCP SPT=3400 DPT=6881 WINDOW=58944 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Nov 1 08:32:01 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=62.123.130.119 DST=83.146.42.229 LEN=86 TOS=0x00 PREC=0x00 TTL=118 ID=9300 PROTO=UDP SPT=7881 DPT=6881 LEN=66
Nov 1 08:32:11 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=83.242.62.184 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=15081 DF PROTO=TCP SPT=3825 DPT=135 WINDOW=32767 RES=0x00 SYN URGP=0 OPT (0204055001010402)
Nov 1 08:32:21 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=138.217.118.17 DST=83.146.42.229 LEN=65 TOS=0x00 PREC=0x00 TTL=105 ID=56875 PROTO=UDP SPT=22209 DPT=6881 LEN=45
Nov 1 08:32:39 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=217.26.89.3 DST=83.146.42.229 LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=40739 DF PROTO=TCP SPT=60226 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (02040564)
Nov 1 08:32:41 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=210.84.27.189 DST=83.146.42.229 LEN=65 TOS=0x00 PREC=0x00 TTL=44 ID=33727 PROTO=UDP SPT=6881 DPT=6881 LEN=45
Nov 1 08:32:50 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=80.235.56.248 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=5234 DF PROTO=TCP SPT=61081 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
Nov 1 08:33:02 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=80.24.39.182 DST=83.146.42.229 LEN=86 TOS=0x00 PREC=0x00 TTL=111 ID=53724 PROTO=UDP SPT=6889 DPT=6881 LEN=66
Nov 1 08:33:18 CASLIN01 kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:0b:cd:b6:5a:33:00:11:5c:f2:29:ed:08:00 SRC=81.179.196.175 DST=83.146.42.229 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=43384 DF PROTO=TCP SPT=1853 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204058A01010402)

Last edited by AnRkey; 11-10-2005 at 04:40 PM.
 
Old 11-10-2005, 03:04 PM   #6
AnRkey
Member
 
Registered: Dec 2004
Location: UK
Distribution: Ubuntu, Fedora and not for long, M$ SuSE
Posts: 59

Original Poster
Rep: Reputation: 15
Anyone?

Is there anyone who can help me with this? Sorry for the long post before. I just wanted to give as much info as possible. I hope I did not upset anyone.

Any help would be cool. Even if it's just a page/site that can show me how to understand this log.

Thanks

John
 
Old 11-10-2005, 06:17 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
Sorry for the long post before. I just wanted to give as much info as possible.
Actually the more info the better. If it where much more then I guess we'd prefer a download location for the file if you can handle that.


Even if it's just a page/site that can show me how to understand this log.
In the LQ FAQ: Security references under Iptables there's a link to an Iptables logfile analyzer.


If you unfsck* your logs this is what you'd get:
Code:
24.3.211.118    TCP  DPT=6881
72.129.91.181   UDP  DPT=6881
24.3.211.118    TCP  DPT=6881
24.3.211.118    TCP  DPT=6881
67.51.21.227    TCP  DPT=6881
67.51.21.227    TCP  DPT=6881
(...)
83.242.62.184   TCP  DPT=135
138.217.118.17  UDP  DPT=6881
(ad nauseam)
...which means some Bittorrent traffic is dropped from some hosts.


Logwatch seems easy to use and now, which Log files should I be checking?
I just want to know if some dictionary attacks my box or hammers apache etc.

Your system logs and any logs for services you run. Especially those that you made publicly available.


Another thing. Are there any nice GUI log analyzers that anyone would suggest?
"Nice" wouldn't be my first criterium. I didn't find any general "good" ones a while ago. Maybe search Freshmeat.net and Sourceforge.



* warning gratuitous sed usage ahead: (I mean: cat log|tr -s " "|cut -d " " -f 10,17-23|sed -e "s/LEN=.*[[:blank:]]/ /g" -e "s/WIN.*[[:blank:]]S/S/g" -e "s/PROTO=//g" -e "s/SRC=//g" -e "s/DF //g"|awk '{print $1, $2, $4}'|column -t)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
recent attack via phpBB, log files deleted? accessed file system outside /home/ enzo250gto Linux - Security 8 12-17-2004 01:51 PM
Sending system log files to an e-mail account darkbluex Linux - Security 1 10-27-2004 07:37 AM
I need the syntax for emailing a log file. Pcghost Linux - General 14 07-22-2003 11:37 AM
Can log files be time stamped? (such as FTP login and transfer log files) bripage Linux - Networking 6 08-08-2002 10:55 PM
How to remove files in /var/log /news and /mail keirobyn Linux - Newbie 6 07-19-2002 04:26 AM


All times are GMT -5. The time now is 10:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration