I did a couple of searches and did not see any threads like this so I thought I would ask.

I'm not exactly new to linux but I'm not an expert either. I know to use dmesg when I want to check for hardware issues or when installing new devices. I know where to look for samba or web logs and such and I'm sure I could manage to find the locations of any log I wanted to find. What I want to know is if there is a standard list of log files to check on a regular basis?

The only ones I really look at now are my boot log and sys log.

Lately I have been reading alot about hackers and network insecurity and I'm becoming more and more concerned about intruders or even port scans and such. I'm not really sure what log file to look at for user logins or remote connections.

Can someone give me a fairly complete list of log files to review on a regular basis? Thank you in advance for any help anyone can offer.

The location of system logs tend to vary from distro to distro, so it helps if you can tell us which one you're using. It also depends on what applications/daemons you are running. For example Apache has its own set of logs as do a host of other daemons, so you'll need to specify those as well.

There are also some great tools that parse the various system and application logs and mail summaries to root. A list of these can be found in the Security References thread at the top of the forun.

I use Slackware 10.1 running kernel 2.4.29

Daemons are as follows:
PID TTY TIME CMD
1 ? 00:00:04 init
2 ? 00:00:00 keventd
3 ? 00:00:00 ksoftirqd_CPU0
4 ? 00:00:15 kswapd
5 ? 00:00:00 bdflush
6 ? 00:00:02 kupdated
10 ? 00:00:00 mdrecoveryd
11 ? 00:00:00 kreiserfsd
61 ? 00:00:03 syslogd
64 ? 00:00:00 klogd
112 ? 00:00:00 udevd
270 ? 00:00:00 khubd
386 ? 00:00:00 dhcpcd
1765 ? 00:00:00 inetd
1769 ? 00:00:13 sshd
1773 ? 00:00:00 named
1781 ? 00:00:00 crond
1784 ? 00:00:00 sendmail
1787 ? 00:00:00 sendmail
1795 ? 00:00:00 httpd
1798 tty2 00:00:00 agetty
1799 tty3 00:00:00 agetty
1800 tty4 00:00:00 agetty
1801 tty5 00:00:00 agetty
1802 tty6 00:00:00 agetty
1803 ? 00:00:00 httpd
1804 ? 00:00:00 httpd
1805 ? 00:00:00 httpd
1806 ? 00:00:00 httpd
1807 ? 00:00:00 httpd
1825 tty1 00:00:00 agetty
1867 ? 00:00:00 httpd
1912 ? 00:00:00 httpd
11531 ? 00:00:00 sshd
11534 pts/0 00:00:00 bash
11572 pts/0 00:00:00 ps


I have seen these tools but I was kind of hoping to get a little creative with a script, I guess I have nothing better to do with my time. Thanks for your help.

Does anyone have any input, maybe even the logs that your personally check on a regular basis? I'm really interested in the remote login logs.

-Thanks
WIlby

My slackware box is temporarily out of commission, so I can't verify the accuracy of this, but I believe there is a standard area for logs in Slackware is in the /var/log directory. You should have a generel security log in /var/log/security which will show things like SSH logins along with other security messages. A log for general system messages should be in /var/log/messages. Regardless, you should check the /etc/syslog.conf file to verify where log messages are being sent.

I believe your Apache logs will be in /usr/local/apache/logs/. The 2 most important ones to monitor will be the access_log and the error_log.

As far as creating a homebrew script, that is entirely reasonable. Many of the common tools essentially do just that, so you may want to take a look at their source code to get some ideas. Hardest part will likely be tweaking your regex's to get everything you need without too many false positves.

That's all good info Capt_Caveman, it's exactly what I was looking for. I appreciate your response and I'll try to remember to post here with my success/failure. Thanks again.