Which logs to track regularly
I run my own server at home for my personal website running Ubuntu Server with Apache, Bind9 and Django. What logs would you suggest are best to keep track of on a regular basis? (rather than on a basis of reading when something goes wrong). I'm thinking for the detection of intrusion attempts (I've previously experienced SSH errors) and unusual traffic or errors on my site.
Solution 1:
Logs of interest:
- /var/log/apache2/* - apache2 logs :)
- /var/log/auth.log - authentication attempts
- /var/log/daemon.log - system processes log here
- /var/log/syslog - everything logs here
I use the logwatch package for monitoring SMTP traffic and SSH logins, and authentication attempts. It is available from most Linux distributions, including Ubuntu by default.
aptitude install logwatch
In the past I have also used logsurfer+ which is a complicated piece of software, but highly configurable.
If neither of these tools (logwatch, logsurfer+) meets your needs, there's a large number of log management solutions from various vendors. From software packages to dedicated devices. Here's a few to get started if you want to do additional research. I am not affiliated with any of these companies or products.
- Splunk
- ArcSight
- AlertLogic
- SANS Institute has many additional resources
Solution 2:
I suggest using OSSEC to monitor your logs. It will auto-detect the important log files and monitor all of them in real time by default.
If you are using Ubuntu, it will look at all authentication logs, apache logs, apt-get logs (to see when new apps are installed), etc.
It is open source, has an active development team and is simple to use. We migrated to it from logwatch, because it looks at the logs in real time instead of doing that every X hours like log watch does.
Link: http://www.ossec.net