Some times you need to keep a close watch on a machine that has been compromise; therefore, you might want to see the logs in real time. Well, “tail” allows you to watch the logs in real time. Most systems related messages are logged to the “messages” log file, and security related messages are send to the “secure” log file. In the later you can find successful and unsucesful login attemps. So the “secure” log file is a good place to start when you are trying to identify whether someone has tried to break in to that box.
tail -f /var/log/messages
Now you can try login from a remote box or locally and watch the logs scroll down in real time. These are some logs file that might be of interest.
tail -f /var/log/secure #security related messages
tail -f /var/log/messages #system messages
tail -f /var/log/maillog #mail server messages
tail -f /var/log/httpd/access_log #web server messages
Moreover, the “grep” command can be quite useful for parsing through logs files. In this case, the grep command is use to search the “secure” log file for the string “jorge.” The -R switch is to specify the string, and the -n switch for displaying the line number.
[root@Fedora11-vbox ~]# grep -Rn smbuser /var/log/secure
81:Sep 26 11:55:04 Fedora11-vbox useradd: new group: name=smbuser, GID=501
82:Sep 26 11:55:04 Fedora11-vbox useradd: new user: name=smbuser, UID=501, GID=501, home=/home/smbuser, shell=/bin/bash
83:Sep 26 11:55:26 Fedora11-vbox passwd: pam_unix(passwd:chauthtok): password changed for smbuser
85:Sep 26 12:00:37 Fedora11-vbox passwd: pam_unix(passwd:chauthtok): password changed for smbuser
The “grep” command can also be used to search multiple files recursively. This command searches in the “/etc/httpd/conf” and “/etc/httpd/conf.d” directories for the string “VirtualHost.”
grep -R VirtualHost /etc/httpd/conf*
To recognize the search term in the search results add “–color” option.
[root@Fedora11-vbox ~]# grep --color -Rn smbuser /var/log/secure
1:Sep 26 12:24:07 Fedora11-vbox unix_chkpwd: password check failed for user (smbuser)
2:Sep 26 12:24:07 Fedora11-vbox sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=windows-box user=smbuser
3:Sep 26 12:24:10 Fedora11-vbox sshd: Failed password for smbuser from 10.100.20.108 port 51101 ssh2
4:Sep 26 12:24:25 Fedora11-vbox unix_chkpwd: password check failed for user (smbuser)
Also if you want to ignore case when you search messages, use the “-i” option.
grep -i selinux /var/log/messages
If it is a cleaver intruder, most likely he will try to erase his tracks by going to the log files and erasing any evidence he might leave behind. Therefore, you might want to send the logs for that particular log file to another computer across the network. For that you should make changes to the “/etc/syslog.conf” file. This file espicify where your logs messages should be sent.
# The authpriv file has restricted access.
authpriv.* @computername /var/log/secure
“@computername” is the remote machine where the logs will be sent.