What consequences to take from what i read in logfiles?

Question

Since some weeks i manage my first Webserver, a Seaside application behind an Apache proxy on Linode, and i installed logwatch to send me daily logs.

Where can i get information on when i have to act as a consequence of what i read in these logwatch reports?

For example i read that all kinds of people try to login on funny nonexisting accounts or all kinds of webcrawlers test for nonexisting cms login pages, some ip adresses get banned and unbanned by fail2ban...

I assume that's normal? Is it? But how do i know that i probably have to do something? What do i look for in the logs?

score 2 · Answer 1 · answered Sep 23 '12 at 16:36

2

google
Yep that's called internet background noise, hackers trying to get into your machine. It's pretty normal. Anyway what you can do is install a host based intrusion detection system like OSSEC. The benefit is that you this will block attacks so you can sleep better at night.

answered Sep 23 '12 at 16:36

Lucas Kauffman

16,880
9
58
93

You mean google for each of the messages that appear in a logwatch mail? I do/did this of course. I hoped there would be something like "common things that appear on logwatch mails and how to act when you see them" as examples to see what it's like. I know that might not cover things that might happen - it's more to get a general idea. – Helene Bilbo Oct 04 '12 at 09:38

score 1 · Answer 2 · answered Sep 23 '12 at 16:31

You must learn your logs and know them by heart. Even if you don't understand the exact meaning of some particular message. But then, when you suddenly see something out of order you will know that you got some problems. This is obvious to you that if you hear that your HD started to make some strange sounds that you never used to hear then something wrong is going with it even if you do not know why it sounds at all, right? The same with logs.

The consequences of being hacked may be very painful. Just imagine that your VPS will be involved into a complex scheme of hacking a financial institution. You have rented this virtual entity and you have a full control. Thus you are fully responsible.

Life is life...

score -1 · Answer 3 · edited Apr 13 '17 at 12:14

-1

Immediate thought is to use a log analyzer, such as the free version Splunk. Manually reading logs is a good way to learn, but requires time & increases likelihood of human error by overlooking things. Log analyzers can be a crutch to help get one's knowledge increased.

It is limited with the free version, but can quickly show what is possible and if such features are things to pursue. To get logs into Splunk:

Splunk How do I get syslog to send data into splunk from remote machines

Another open source option would be syslong-NG:

http://www.balabit.com/network-security/syslog-ng

edited Apr 13 '17 at 12:14

Community

1

answered Sep 24 '12 at 02:09

RandomBit

74
4

Your answer lists alternative ways to process logs but completely fails to address what was asked. – John Gardeniers Sep 24 '12 at 05:55

What consequences to take from what i read in logfiles?

3 Answers3

Linked