Pick a Free OS

User login

Navigation

Intrusion Detection Systems, Part IV: Logcheck

You can download Logcheck from http://www.psionic.com and go for the download URL. Get the latest sources. At the time of writing the article, Logcheck was in version 1.1.1. A point to be noted out here; while you can download Logcheck as a non root user, you would have to login as root while installing as Logcheck prefers to install its scripts, binaries and other configuration files to directories owned by root.

Step 1: Untarring the sources

Untarring the sources is the first step towards installing the package. Use the following command to untar the sources

bash# tar -xvzf logcheck-1.1.1.tar.gz

This will untar the sources amd scripts into a directory called logcheck-1.1.1. CD into the directory and read the following files.

trevor@freeos.com:~/logcheck-1.1.1> less README

trevor@freeos.com:~/logcheck-1.1.1> less README. How to interpret

trevor@freeos.com:~/logcheck-1.1.1> less INSTALL

Basic Configuration before Installing

We had mentioned the Syslog daemon earlier in this article which is used by most of the *nix systems to track and maintain logging events. On a Linux box, this daemon is configured through the /etc/syslog.conf file. You need to login as root to access this file. Depending on the Linux distribution you use, your Syslog configuration file entries would vary. Illustrated below is our Syslog configuration file that we have tweaked a bit for our convenience. Explaining the /etc/syslog.conf entries is not in the scope of this article but we try to pointers towards understanding the entries better.

trevor@freeos.com:~/logcheck-1.1.1> vim syslog.conf

This is our Syslog.conf file as illustrated below [snipped part of /etc/syslog.conf]:

#

# Warnings in one file

#

*.=warn;*.=err -/var/log/warn

*.crit /var/log/warn

#

# save the rest in one file

#

*.*;mail.none;news.none -/var/log/messages

# enable this, if you want to keep all messages

# in one file

#*.* -/var/log/allmessages

# Added by Trevor on 28th October

# Monitor authentication attempts

auth.*;authpriv.* /var/log/authlog

# Monitor all kernel messages

kern.* /var/log/kernlog

# Monitor all warning and error messages

*.warn;*.err /var/log/syslog

/etc/syslog.conf line 26/60 (END)

Note the last four files as we have mentioned above at the end of the configuration file namely,

/var/log/messages

/var/log/authlog