[Courses] [courses][security] what logs?

Jillian-Beth Stamos-Kaschke jillian at team.inter.net
Tue Mar 26 19:15:05 EST 2002 

Hi there,

On Tue, Mar 26, 2002 at 05:05:54PM +0100, Hamster wrote:
 
> While reading through various security related articles, and even some posts on our security course, I have seen numerous examples of people saying something like "I can see in our logs that we are getting scanned x times a day".
> 
> I feel a bit silly asking this, but what logs are they referring to?

Your system's logs, which are usually in /var/log/ . 
The name of the logfile can differ; for example SuSE logs 
everything in /var/log/messages (I think), whereas Debian uses 
/var/log/syslog (/var/log/messages exists on Debian systems,
it just has a different function).

Among the things that are logged are login attempts (successful 
and unsuccessful), ftp connection attempts (ditto), pings and 
the like.

Logfiles can either be generated by daemons (such as Apache or 
a mail daemon) or syslogd. What syslogd logs and which file 
it's written to is defined in /etc/syslogd.conf .

There are a couple of exceptions, though (and I might be wrong 
on this, so please feel free to correct me):

lastlog, although technically a logfile, actually consists of 
binary data and can be invoked by typing "lastlog". lastlog 
provides you with a list of who last logged in. One of lastlog's 
other binary friends is wtmp, used by the command "last", which 
spits out a similar list, the difference being that "last" shows 
a list of logins beginning from when wtmp was first created, so 
it can get pretty long.

Both wtmp and lastlog come with their own man pages for more 
information (as does syslog and syslog.conf).

> Are these logs created by some separate programmes written specifically for monitoring portscans? (if so, what are some of these programmes called?)
> OR
> Are these logs created by iptables itself?

No. Or iptables creates other logfiles I don't know about (cos 
I don't use iptables). Some programmes use your system's logfiles 
and filter them for you, so you don't have to constantly monitor 
them yourself (such as the friendly logcheck).

Jillian.

More information about the Courses mailing list