Random Entry: Security as a positive architectural investment
< C++2LaTeX++ | Kyle and the Evolving Shell Scripts >

Log Filtering or Ignorance is Bliss

In yesterday's diary the SANS ISC asked for tips on correlating logs. This lead me to a post by Marcus Ranum entitled "artificial ignorance: how-to guide".

He describes a method of log analysis where the syslog is sanitised to remove volatile information such as pid's and the datestamp:

cd /var/log
cat * | \
	sed -e 's/^.*demo//' -e 's/\[[0-9]*\]//' | \
	sort | uniq -c | \
	sort -r -n > /tmp/xx

An ignore list is then created to remove all normal entries from the log. This is done by adding lines like:

cron.*: (root) CMD (/usr/bin/at)
sendmail.*: .*to=
ftpd.*: FTP LOGIN FROM

to a file which is then applied to the output of the original script with:

cat * | grep -v -f stoplist | \
	sort, etc --

This should 'erase' all of your normal log noise and only alert you of strange activity.

I do something similar with a utility called logcheck. It does pretty much the same thing and comes with an excellent set of ignore rules. I have only needed to create some new rules for ssmtp and one of my usb devices.

Thursday, July 7. 2005
Posted by Dominic White in Security
Comments (0) | Trackbacks (0)

Last modified on 2005-07-07 13:32

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry