Title: logcheck Author: Craig H. Rowland License: See LICENSE file. Warranty: Money back guarantee. Not responsible for any consequences from use!! Abstract Logcheck is software package that is designed to automatically run and check system log files for security violations and unusual activity. Logcheck utilizes a program called logtail that remembers the last position it read from in a log file and uses this position on subsequent runs to process new information. All source code is available for review and the implementation was kept simple to avoid problems. This package is a clone of the frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm) firewall package. TIS has granted permission for me to clone this package. Purpose It bothers me to read stories of system administrators who have had a break-in realize it too late and report "Well I checked the logs from two weeks ago and found such and such had happened..." or "We've never had problems on that system before so we never bothered to check the logs.." Auditing and logging system events is important! What is more important is that system administrators be aware of these events so they can prevent problems that will inevitably occur if you have a system connected to the Internet. What is great about Unix is that virtually all modern implementations support the syslog(8) facility to report, and quite extensively if configured and supported correctly, virtually all happenings good or bad on the host system. This allows the creation of an audit trail that can be used very effectively to subvert potential attacks and alert system administrators that action should be taken. Unfortunately for most Unices (and Windows NT ) it doesn't matter how much you log activity if nobody ever checks the logs which is often the case. This is where logcheck will help. Logcheck automates the auditing process and weeds out "normal" log information to give you a condensed look at problems and potential troublemakers mailed to wherever you please. So you ask: There are other programs out there that do the same thing, why do I need this one? Well I say try the other ones and see which one fits your needs. There are many out there that are very good (i.e. swatch), and they all come at a great price (free). This package has some features though that may be easier for you to use because it doesn't require a constantly running program and can mail all findings from many systems back to a single location. Additionally, it reports any unusual system messages that you may not have seen before, a distinct advantage as it is often impossible to know every possible syslog message that may come into the logs from the daemons. Design Logcheck is based upon a log checking program called frequentcheck.sh featured in the Gauntlet(tm) firewall package by Trusted Information Systems Inc. (http://www.tis.com). The logcheck shell script and logtail.c program have been completely re-written from scratch and is implemented in a slightly different manner to accommodate for two methods of log file auditing: 1) By reporting everything you tell it to specifically look for via keywords. 2) By reporting everything you didn't tell it to ignore via keywords. This ensures that important messages are specifically brought to your attention (via the keywords you look for) and that important messages that you may have overlooked are also reported (by only ignoring items you tell it to). The original frequentcheck.sh script was implemented in a somewhat similar manner. The script is a simple shell programming model and the logtail.c program uses basic ANSI C compatible functions with comments and easy to follow source. Unusual tricks and "golly-gee" features have been left out to prevent problems. The logcheck script should be run at least hourly on your hosts from the cron daemon. This script will check files for unusual activity through the use of simple grep(1) commands and will mail all findings (if any) to the administrator. If nothing is found you'll receive no mail. System Information This program comes with default keyword filter files tuned for the firewall toolkit by TIS and systems running Wietse Venema's TCP Wrapper package (Which ALL systems should be running IMHO). This program is also very BSDish so you may have to tune it a little if you are running something other than a BSD variant (as if there are any other types of unix ;) ). I've tested the program extensively on BSDI 2.x, Linux, HPUX 10.x and FreeBSD 2.x without any hassles or major explosions of any type (although on HPUX you may need to get a real compiler and not that braindead piece of garbage that ships with it). I am _always_ looking for comments and suggestions. Additionally if you have a keyword file you find is nicely tuned for your version of Unix (IRIX, AIX, HP, Solaris, etc. ) please send it to me for inclusion in any subsequent updates. Basic keyword files that work well for BSDI 2.x, FreeBSD, HPUX, Solaris, SunOS and Linux are included. PLEASE read the INSTALL file for proper installation procedures and other tips. If you have any questions, comments, flames, then please e-mail me at crowland@psionic.com Thanks, Craig Rowland crowland@psionic.com