[gentoo-amd64] /var/log
Hi all, I have been looking in '/var/log' for users logging on. The files and directories in there are fastidiously organised (to say the least). Better than usual UNIX distros. What is the best place to look for logins/hacks. Gavin. -- Dr Gavin Seddon School of Pharmacy and Pharmaceutical Sciences University of Manchester Oxford Road, Manchester M13 9PL, U.K. -- gentoo-amd64@gentoo.org mailing list
Re: [gentoo-amd64] /var/log
On 21 Dec 2005, at 12:32, Gavin Seddon wrote: I have been looking in '/var/log' for users logging on. The files and directories in there are fastidiously organised (to say the least). Better than usual UNIX distros. What is the best place to look for logins/hacks. Which syslog daemon do you use? How is it configured? I use metalog and I get password failure notices in /var/log/pwdfail/* You could also run lastlog |grep -v '**Never logged in**' to see when people last logged in. Yours, Craig -- Craig Webster | t: +44 (0)131 516 8595 | e: [EMAIL PROTECTED] Xeriom.NET| f: +44 (0)709 287 1902 | w: http://xeriom.net -- gentoo-amd64@gentoo.org mailing list
Re: [gentoo-amd64] /var/log
On 21 Dec 2005, at 12:32, Gavin Seddon wrote: I have been looking in '/var/log' for users logging on. The files and directories in there are fastidiously organised (to say the least). Better than usual UNIX distros. What is the best place to look for logins/hacks. You should take a look at http://www.gentoo.org/doc/en/security/security-handbook.xml. It has some great information on securing your install, from pyhsical security to logging all activity and everything inbetween. I would recommend setting up logsentry (see section 3. Logging) which is a tool that parses the log files and then emails you with unusual events. It takes a little tweaking to get it working good with metalog, but is very useful once it's setup. I see you next thread is on firewalls, and that is addressed in the security handbook too. Brett -- gentoo-amd64@gentoo.org mailing list
Re: [gentoo-amd64] /var/log
On Wednesday 21 December 2005 04:32 am, Gavin Seddon wrote: Hi all, I have been looking in '/var/log' for users logging on. The files and directories in there are fastidiously organised (to say the least). Better than usual UNIX distros. What is the best place to look for logins/hacks. Gavin. Try looking at auth.log and wtmp. auth.log is a plaintext log of login attempts, and wtmp is a binary file that is used by the who command, and can also be accessed by the last command. -- Eric Bliss systems design and integration, CreativeCow.Net -- gentoo-amd64@gentoo.org mailing list