Logfile Auditing

Vincent Danen

March 25, 2008

Logfiles are perhaps one of the most useful facilities available to any sysadmin or user to determine what is going on in the system. They can be used to track down error messages, authentication information (who logged in and when, etc), and a whole slew of other information that may or may not be important to you. In a situation where you suspect a system breakin, logfiles can often provide vital clues to help track down what happened, when, and who instigated it.

The drawback to logfiles is that they can get very large, and contain a lot of data, much of which may mean absolutely nothing to you. Reviewing logfiles can be a daunting task, so tools are available that aid in monitoring and auditing logfiles. And because so many logfiles exist, observing each and everyone can be a fulltime job for anyone.

On most systems, logfiles exist in the directory /var/log. Some logs exist in that directory, and others are stored in sub-directories, usually named after a specific application or service. For instance, if you examine /var/log, you may find directories such as /var/log/mail, /var/log/news, /var/log/httpd, etc.

There are a few different daemons that can handle logging, and many applications write logfiles themselves, without interacting with a system logging daemon. There are also a number of applications that can be used to monitor and audit logfiles.