1

I'm working on a project which requires some auditing of read/write/modifications to various files. Additionally I must log ftp access, user logins, NTP/system time changes etc. Is there a nice tool for UNIX able to do all this and also allow me to export the data to a nice human readable format?

Right now I am monitoring file events using the standard UNIX audit tool with ausearch commands etc. This works OK, however it has a lot of guff and I don't particularly want to have to write scripts to parse all these files. I would also really like things to be written in a human readable format rather than have to parse it after the fact. Given our customer wants to be able to export these audit logs and read them with basic tools (web browser/text editors) i need it to be easy on the eye.

Any help on this one?

Cheers.

user8680
  • 11
  • 1

3 Answers3

2

File changes: AIDE

And for the logs: Logcheck
You can tweak it so it reports certain entries in logs.

Alakdae
  • 1,233
  • 8
  • 21
  • Looked into AIDE, however I am under the belief that it cannot log file modifications/access/executions on the fly? It hashes all files configured to start with and can then be used for later comparison? Given that the system I am working on is recording CCTV footage, I need to be able to log any access to recorded footage which is being constantly generated. Terrabytes worth in-fact. I finally got auditd to do what I wanted, with logrotate handling log rollovers, which is great. But then I find that it will not recurse sub-directories, which I need it to do. Am I wrong or will AIDE do this? – user8680 Jun 10 '09 at 08:58
  • AIDE also check subdirectories. About monitoring CCTV footage I don't know a tool that would monitor on the fly. AIDE simply shows you changes, added files, and deleted files between previous and current snapshot. – Alakdae Jun 10 '09 at 09:07
  • As I suspected. Cheers for the info. My hunt shall continue! – user8680 Jun 11 '09 at 02:31
0

there is audit daemon on linux boxes.

TiFFolk
  • 1,077
  • 3
  • 15
  • 25
  • This is my current implementation. The problem however is that it does not allow to much in the way of log file format. It is quite verbose, and not too human readable. There are lots of features that I would like it to have which it sadly does not. So if there is a tool out there that is better, that would be great. – user8680 Jun 08 '09 at 10:45
0

My recommendation is the tool OSSEC.

-It does file integrity checking to detect changes to files (or directories)

-It does log analysis to detect failed logins, time changes, etc

-It is open source, multi-platform and easy to install.

I have been using it for PCI compliance and to audit my Linux systems and routers (yes, it supports Cisco routers too via "agentless").

Link: http://www.ossec.net

sucuri
  • 2,867
  • 1
  • 23
  • 22