I'm going to start monitoring our Linux servers with a log management/correlation tool to take a proactive approach to the security of our systems. Right now I'm going to search for log events that include the following:

Failed user login “authentication failure”,“failed password”

User account change or deletion “password changed”,“new user”,“delete user”

Sudo actions “sudo:COMMAND=…” “FAILED su”

Service failure “failed” or “failure”

Can anyone else recomend any other commands or logs that would be good to correlate or be alerted on when a potential breach or suspicous activity is happening on the box? Logging cleared, permission changes on accounts or particular files or directories? What would you want to see while monioring your servers? Is anyone doing anything similar?

For log monitoring like that, it might be easier to use OSSEC rather than trying to reinvent the wheel, if that's what your doing.

I am using a correlation engine, but I'd like to have a few more custom rules that might not already be in it.

Any suggestions?

Check out this blog post from the log master himself, Anton Chuvakin. You may also find the rules from OSSEC helpful.

1 members found this post helpful.