Environmental Genomics Thematic Programme Data Centre Advanced Bio-Linux Dan Swan: Log files and log monitoring.

Slides:

Advertisements

Similar presentations

Operating-System Structures

Advertisements

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.

What is MySQL? MySQL is a relational database management system (A relational database stores data in separate tables rather than putting all the data.

Intrusion Detection Systems and Practices

I/O Hardware n Incredible variety of I/O devices n Common concepts: – Port – connection point to the computer – Bus (daisy chain or shared direct access)

Network Administration Procedures Tools –Ping –SNMP –Ethereal –Graphs 10 commandments for PC security.

Building Secure Software Chapter 9 Race Conditions.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

Linux Networking and Security Chapter 10 File Security.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

Computer Information Use your own login and password if possible. To get a password, you must turn in the AUP sheet handed out at registration or sent.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Environmental Genomics Thematic Programme Data Centre Advanced Bio-Linux Dan Swan: Setting up your printer.

7 November 2005 Sebastian Büttrich ItrainOnline MMTK 1 Linux logging and logfiles monitoring with swatch Sebastian Büttrich, wire.less.dk.

Problem Determination Your mind is your most important tool!

Review Security Hardening IPTables SELinux. Today Installations and updates – Rpm command and packages Apache “Issue Ownership”

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:

Day 11 SAMBA NFS Logs Managing Users. SAMBA Implements the ability for a Linux machine to communicate with and act like a Windows file server. –Implements.

Security for Administrators Presented by: Greg Smith Pacsec.jp 2004.

Network Monitoring System for the UNIX Lab Bradley Kita Capstone Project Mentor: Dr C. David Shaffer Fall 2004/Spring 2005.

Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.

Computer security By Isabelle Cooper.

Unified scripts ● Currently they are composed of a main shell script and a few auxiliary ones that handle mostly the local differences. ● Local scripts.

Linux services troubleshooting. If you cannot connect to your service.. When you start service, check that it says ok (most services say that when starting.

Cosc 4750 Log files Logging policies Throw away all data immediately Reset log files at periodic intervals Rotate logs files, keeping data for a fixed.

What about errors in my Apples and Penguins

Silberschatz, Galvin and Gagne  Operating System Concepts Six Step Process to Perform DMA Transfer.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

NetTech Solutions Protecting the Computer Lesson 10.

SCSC 455 Computer Security Chapter 3 User Security.

Intrusion Detection System

Poster Print Size: This poster template is 50” high by 30” wide and is printed at 120% for a 60” high by 36” wide poster. It can be used to print any poster.

Midterm OPERATING SYSTEM. Objectives At the end of the course, the student should be able to: Define the operating system; Demonstrate the abstract view.

Day 15 Apache. Being a web server Once your system is correctly connected to the network, you could be a web server. –When you go to a web site such as.

GCSE Computing: A451 Computer Systems & Programming Topic 3 Software System Software (2) Utility Software.

OPERATING SYSTEM REVIEW. System Software The programs that control and maintain the operation of the computer and its devices The two parts of system.

APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.

M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

8 – Protecting Data and Security

Operating System Review

COP 4343 Unix System Administration

COP 4343 Unix System Administration

The Linux Operating System

Cosc 4750 Log files.

Lesson Objectives Aims Key Words Interrupt, Buffer, Priority, Stack

Firewall Configuration and Administration

Vulnerability Scanning with Credentials

Chapter 2: System Structures

Operating System Review

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Chapter 27: System Security

Operating System Review

Lecture 2 - SQL Injection

Accounting Accounting collects information about users and processes

REDCap and Data Governance

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

Interrupt handling Explain how interrupts are used to obtain processor time and how processing of interrupted jobs may later be resumed, (typical.

Convergence IT Services Pvt. Ltd

Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019

6. Application Software Security

Presentation transcript:

Environmental Genomics Thematic Programme Data Centre Advanced Bio-Linux Dan Swan: Log files and log monitoring

Environmental Genomics Thematic Programme Data Centre What, where and why? Log files are files of 'useful' information that are written in an ongoing fashion by various programs on the system. Most (but not all) logs are stored in /var/log/ Apache (webserver logs) are stored in /etc/httpd/logs/ Logs are your first port of call for detecting things like upcoming hardware issues (such as disk drive failure), accounting visits (hits) on the webserver, detection of intrusion attempts, detection of intrusions. Going over the log files is good practice, but for an inexperienced admin making sense of them is not always straightforward. We will try to demistify some of this process and show you how to automate it.

Environmental Genomics Thematic Programme Data Centre Apache logs

Environmental Genomics Thematic Programme Data Centre Why check these logs? If you have opened up your web server to the outside world it will be probed by hackers. Apache has had a number of vulnerabilities in the past but is generally considered to be good in terms of security. Things to look out for are - huge entries trying to get filenames with thousands of characters - these are attempted “buffer overflow” exploits. Anything which contains more strings like../../../../../../../../../ is attempting to locate files outside of an improperly secured Apache set up. Any requests for executable files, or cgi files that you did not put there are cause for concern. You can safely ignore anything looking for.com.exe files, these are scans for Microsoft IIS vulnerabilities.

Environmental Genomics Thematic Programme Data Centre /var/log This containst the majority of the log files. Each one stores different information. It is important to keep an eye on these. Some can be viewed with a 'logchecker' to give the administrator essential information. It is important that as an administrator you learn to understand the information given in the logs. The only way is to look and learn. You will often not understand the entries, use Google to look them up if you are concerned. We will go through them one by one briefly.

Environmental Genomics Thematic Programme Data Centre

Environmental Genomics Thematic Programme Data Centre

Environmental Genomics Thematic Programme Data Centre dmesg less /var/log/dmesg keeps a log of printed kernel messages. Most often this will have information about the boot process, and it should be checked to keep an eye on the actual hardware as it can harbour warnings of upcoming problems. Whilst the system is running dmesg will print out any other kernel messages, and will include items like firewall incidents etc. There is a great article demystifying the dmesg output (which can be quite cryptic) here: ml

Environmental Genomics Thematic Programme Data Centre

Log files not to stress about /var/log/gdm : gdm is the graphical login manager. /var/log/httpd : the same as /etc/httpd/logs/ /var/log/iptraf : it's empty! /var/log/kdm.log : another graphical login manager. /var/log/ksyms.* : kernel symbols logs (incomprehensible). /var/log/lastlog : Use the last command instead. /var/log/mysqld.log : Of course if you start using MySQL you might look! /var/log/pgsql : PostgreSQL logs - as above. /var/log/rcd/* : RedCarpet logs - only look if you have issues. /var/log/rpmpkgs : Same as running rpm -qa /var/log/sa : output from sar command on cron job /var/log/scrollkeeper.log : GNOME messages, might be good to look at if you have a GNOME problem! /var/log/spooler : UUCP spools (no-one uses this anymore!) /var/log/up2date : RedHat update mechanism (unused). /var/log/wtmp : not human readable /var/log/Xfree86.0.log : If you have X errors this is the place to look.

Environmental Genomics Thematic Programme Data Centre

Environmental Genomics Thematic Programme Data Centre

Environmental Genomics Thematic Programme Data Centre

Environmental Genomics Thematic Programme Data Centre What is with the.1 files? The first thing you notice about /var/log/ files is that you have –file –file.1 –file.2 etc. This is because logs are rotated weekly to make sure they do not clog up the disk. Rotation is handled by logrotate.sh in /etc/cron/cron.daily Each week file is moved to file.1, file.1 to file.2 etc. and file.4 is deleted as we work a 4 week cycle of logs. You can alter the behaviour of logrotate in /etc/logrotate.conf

Environmental Genomics Thematic Programme Data Centre Automated log checking Currently Bio-Linux machines are set to the EGTDC your logs. Now you are all advanced users :) you can take the responsibility for your own log checking. We wil advise you how to do this later. Log checking is done by a program called logcheck.sh - appropriately! This is run as a daily cron job and the results ed to the defined manager. Currently this is channelled to the EGTDC account and forwarded to us. In future this should be sent to the manager account. This tries to pick out the most obvious security problems and report them, although it still reports a lot of false positives it is imperative you watch this file for curious actions on the system.