July 24, 2008 02:17am pdt

1. shakoush... 26,237
2. ravenpl 22,000
3. Redimido 18,510
4. omarfarid 11,045
5. noci 9,054
6. agriesser 8,850
7. ahoffmann 8,330
8. Blaz 8,260
9. Nopius 6,250
10. WizRd-Linux 4,800
11. arrkerr1024 4,500
12. gheist 4,200
13. Tintin 3,915
14. fridom 3,873
15. droyden 3,750

1. ahoffmann 182,026
2. ravenpl 105,338
3. jlevie 95,810
4. kblack05 65,801
5. Redimido 46,126
6. noci 36,058
7. Blaz 33,933
8. xDamox 32,605
9. wesly_chen 31,085
10. decoleur 28,923
11. shakoush... 28,737
12. XoF 28,530
13. omarfarid 23,215
14. Nopius 23,150
15. Tintin 22,755

05.15.2008 at 09:26AM PDT, ID: 23405820

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.8

Unix and Linux Security Logs

Zones: Linux Network Security, Unix Network Security Questions

Tags: Security Monitoring

I am looking for detailed lists of log descriptions one would expect to find in Unix and Linux Security and System Logs. I am a not a system administrator, but rather someone who is very used to microsoft event ID's. I understand how syslog is formed, but I cannot find any reliable and comprehensive source of individual log descriptions anywhere...

Start your free trial to view this solution

Question Stats

Zone: Security

Question Asked By: NiallMcCarthy

Solution Provided By: paradoxengine

Participating Experts: 2

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

05.15.2008 at 09:57AM PDT, ID: 21575768

paradoxengine:

Because there is none, or at least not a full one. The Unix world is far more complex world than the Microsoft one. Each application can log in a different way, and each flavour of unix and linux can organize logs in a different fashion. What's more, sysadmins can (and often do) customize logs and logging engine.
Maybe if you could narrow a bit your request..

05.16.2008 at 01:05AM PDT, ID: 21580760

NiallMcCarthy:

Thanks for the insightful answer, it explains a lot and gives me an indicator as to how much work I've got in front of me! Specifically I'm looking for log descriptions on SunSolaris, AIX and Red Hat currently. I pretty much want to understand the whole kit and kaboodle, but I would probably start with the following basics:
a) logon and logoffs
b) Administrator Actions
c) File and Folder Accesses
d) User Management
e) Detailed Tracking

05.16.2008 at 07:51AM PDT, ID: 21583232

gheist:

a) command is called 'last', logfile is non-text and named wtmp
b) some tools do log in something like auth.log or authlog.
c) This is called kernel trace (slow & complex)
d) see (b)
e) see (c)

All UNIX systems have tools that log most of admin actions
All unix systems have "accounting" facility - type "mac accton" for details - it records proces run times and consumed resources when enabled.
Some systems like AIX, Trusted Solaris, HP-UX do have in-depth auditing facilities.

05.16.2008 at 08:02AM PDT, ID: 21583344

NiallMcCarthy:

Thanks GHeist, but it's unfortunately it's not the detail that I'm looking for. I'm aware that the logging capacities exist, but I'm looking for some sort of index/formula for interpreting each individual log from each system. It's a big ask, I know.

05.17.2008 at 12:43AM PDT, ID: 21588310

gheist:

Syslog can be transfered into SQL database using syslog-ng.
audit and accounting are kernel features and best working locally.
For example accounting uses system-specific format and its hard to decrypt elsewhere. Kernel trace is even worse.

Basically whats essential is logged to syslog, and rest can be found repeating problem situations. Accounting and regular SNMP monitoring adds some oversight into future problems without huge overhead.
C2 auditing is more intended for warmakers and other paranoics.

05.17.2008 at 01:09AM PDT, ID: 21588365

paradoxengine:

Well, probably you don't need kernel tracing (once you have auditd capabilities, as gheist suggests) but that's another matter.
The point, Niall, is that there is no such formula, and that's one of the "big issues" in the log correlation market.
Most logs can be piped into syslog and are "normalized" to some degree, i.e. starts with a date, are followed by a pid and so. You can find some sample regexp looking into logcheck, a software able to check syslog for anomalies (well something like that). You will find that the first part of the logs is, quite often, very similar.
The point is that the "second part" is completely different depending on the operating system, or even the Linux distribution.
So my advice is to "slow-start" with a given OS, say Red Hat, and become familiar with its logging features. You will find that some of the know-how you build up will be portable to the other environments.

Accepted Solution

05.17.2008 at 02:55AM PDT, ID: 21588581

gheist:

Redhat has accounting disabled.

20080716-EE-VQP-33 / EE_QW_2_20070628