For some of the relatively sophisticated attacker who, after entering the Linux operating system, but also to understand their own "clues" and remove these traces, is necessary to understand some of the natural log tool.
logchek can automatically check the log files periodically check the log file to find violations of safety rules, and abnormal activities. It first weed out the normal log information to log some problems remain, then email this information to the system administrator. logcheck remember the last location of the log files have been read by logtail program, and then start from this position to handle new log information. logcheck mainly by the following main documents:
logcheck.sh executable script file, records logcheck check those log files, we can add it in the crontab regular operation.
logcheck.hacking is logcheck check pattern file. And the following files together, from top to bottom sequentially. This document shows that the pattern of intrusion activities.
logcheck.violations this file indicates a problem, the pattern of activities contrary to common sense. Priority is less than the above schema file.
logcheck.violations.ignore this document and the above logcheck.violations priority is relative, the schema file is we do not care about the problem.
logcheck.ignore This is the last pattern file checking. If no schema file and the first three matches, no matches this schema file, then output to the report.
Logtail log file information.
Read the relevant log files Logcheck first run everything, Logtail logfile.offset will create a file for each offset concern to the log file in the directory of the log file, so that at the next check from this shift start checking the amount. When Logcheck execution, will not ignore the contents sent by mail to the system administrator logcheck.sh specified user.
General Linux distributions comes with this tool. It can automatically make log cycle, remove the oldest log saved, its configuration file is /etc/logrotate.conf, we can set the cycle in the log file, the number of backup log and how to back up the log and so on. In /etc/logrotate.d directory, including some tools log cycle settings file, such as syslog, etc., according to /etc/logrotate.conf specifies how do log rotation, you can also add other files in there in these files in other log cycle services.
swatch is a real-time log monitoring tools, we can set the events of interest. Swatch has two operating ways: one can withdraw finished checking the log, another log can be monitored continuously with new information. Swatch offers a number of notification methods, including email, ringing, terminal output, a variety of colors and so on. Before installing, you must ensure that the system supports perl. swatch software focused on the profile swatchmessage, this text file tells swatch what need to monitor logs, need to find what triggers, and when triggered the action to be performed. When the swatch was found regular expression match swatchmessage triggers defined, it performs swatchrc defined in the notification procedure.
Of course, the software described above is only Linux in the sea a few beautiful shells, as more and more users to join the ranks of Linux, we believe that outstanding Hack will also be more and more, which in turn will promote the Linux operating system gradually matured, we'll see.