Logstats

Logstats applies user defined rules to entries in a log file. Using this you can throw away information which you decide is not needed and concentrate on more interesting log entries.

1. Setup all of the machines to send their logs to a loghost. This can be done by editing the /etc/syslog.conf, here is an example from a Digital Unix 4.0 machine (same syntax as Linux):

   
   *.info			@loghost
   

   And from a Solaris 2.6 machine:

   
   # if a non-loghost machine chooses to have authentication messages
   # sent to the loghost machine, un-comment out the following line:
   auth.notice			ifdef(`LOGHOST', /var/log/syslog, @loghost)
   daemon.notice			ifdef(`LOGHOST', /var/log/syslog, @loghost)
   mail.notice			ifdef(`LOGHOST', /var/log/syslog, @loghost)
   local2.debug			ifdef(`LOGHOST', /var/log/syslog, @loghost)
   

2. Get the Logstats Perl code from Jim's Security Tools

3. You will find pattern files which are suited to the systems at CISE, we have the same type of machines plus the DEC Alphas, so you will need to add more regular expressions to the config files. Start the program up as is and look at the unaccounted for lines. Decide which lines are safeley ignored (for example, we don't need to know that an email from foo@phys.ufl.edu was successfully sent to jack@foo.com)

4. Once you get your pattern files filtering the data to your liking you will want to run the program at a specific interval. I use a shell script to run the data and send the output to me:

   
   #!/bin/sh
   cd /usr/local/logstats
   /usr/local/logstats/logtail /var/log/syslog | /usr/local/logstats/logstats 2>&1 | /usr/ucb/Mail -s "log stats" ddr
   

   And a crontab entry:

   
   20 13,1 * * * /local/logstats/logstats.sh
   

   to send the info to me twice a day.