[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Log Files - any help appreciated

Subject: RE: [cobalt-users] Log Files - any help appreciated
From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
Date: Wed Jun 26 08:44:00 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

<snip>
> /home/sites/home/logs
> /home/sites/site1/logs     (and for all other sites on the server e.g.
> site2, site3 etc)
> /home/log/httpd/   (check access - adm_access - adm_error - error - )
> /var/logs/   (check maillog - cron - auth - lastlog)
> 
> Any help and advise would be great (a list of files that I should be
> checking would be brilliant) - sorry about asking such a 
> basic question but
> I want to get it right from the start.
</snip>


Hi Ray,
There are a few log files which you should be aware of their content, etc. Not so much as checking them non-stop with a fine-tooth comb, but being aware.

The key ones are:
/var/log/messages		 Holds most of the kernel and base-level logging for your RaQ.
This is the one to check frequently, as its most likely to give a hint if a breakin has taken place (providing they're not clever enough to mask/remove the messages entries!)

/var/log/maillog		As you mention, this points you to the mail server incoming/outgoing and also all the pop3/imap/smtp connections. Check this for hints of people spamming through you (lots and lots of excessive mailings going through) and possible password breaches through the pop3 server.

/var/log/secure		Contains mainly security/authentication messages, so will typically hold all the logins for the system relating to the tcpwrappers system (This is used for things like pop3 (in.qpopper) ftp (in.proftpd)


Those three are the top ones, you could also check your last-log sometimes, do this by typing
last -20
which will show the last 20 people ftp/ssh/telnet'ing into your box, and also their IP/hostnames.

Another handy command is
mailq
Which will print the current OUTGOING mail queue for sendmail. Good to check now and then to see if anyone is clogging it up, or it can highlight a problem in the delivery system.

Finally, i'd occasionally take a look at:
netstat -a
This command displays ALL listening sockets and established sockets/connections to your machine. At its most basic level, you can see if any one individual IP is connecting to you frequently and staying connected, and what port they are doing so on. Just in case you end up with a backdoor that allows people to connect and run ssh/telnet-like apps via another port.


Hope that makes sense, and any queries post back to the list as there is a lot of experience floating around with the people you see frequently posting in here.

Regards,

Andy
andy@xxxxxxxxxxxxxxx
http://www.raqpak.com/ <-- Raq/Qube unofficial PKGs and support advice

Follow-Ups:
- Re: [cobalt-users] Log Files - any help appreciated
  - From: Ray Healy \(Data Net Services\)

Prev by Date: Re: [cobalt-users] Thanks Jay and Tim, another question...
Next by Date: [cobalt-users] Are there any problems with these pkgs (RAQ2)
Previous by thread: [cobalt-users] Help wanted ad
Next by thread: Re: [cobalt-users] Log Files - any help appreciated

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index