Tools of the Trade: Part 3
by Carl Constantine07/13/2001
Welcome back! Today I'm going to take a look at some of the common tools that you can use on your own systems to spot holes, to look for potential problems, and tighten your grip on the system.
Last time, I took you through a brief introduction to tcpdump and Tripwire. This time, we'll take a look at syslog and last but not least, snort.
Syslog
Have you ever looked in your /var/log directory and wondered, "Where'd all those log files come from?" Chances are they were created by syslog, the system logging facility. syslog actually consists of a couple different tools that were originally part of the BSD distributions.
syslog has been ported to Linux and many other Unix operating systems (Solaris, HP-UX, etc.) and keeps all the same functionality of the original program. In some cases, a few functions have been added but nothing has been removed. I would consider syslog to be more of a "system" rather than a tool.
There are four parts to syslog; a syslogd daemon process, a klogd daemon process, a programming interface syslog.h, and a configuration file /etc/syslog.conf which is the key to the whole system. The programming interface is used by many other programs, such as Tripwire, to log activity on your system. Unless you're writing a security tool, or want to incorporate syslog in some other application you are writing, you won't use the programming interface.
The main crux of the syslog system is the /etc/syslog.conf file. It controls what logs are created and when. A separate utility that isn't part of syslog (but maybe should be) called logrotate will compress logs and create new ones on a daily basis or however long you want. The result is something that looks like this:
syslog's configuration file is relatively simple to read and modify as you see fit. Let's take a quick look.
