You could use a simple script, for example, to examine your system log for certain keywords. If the script is run via your system's scheduling table, /etc/crontab, it can help automate security monitoring. By combining the output capabilities of existing Linux commands with the language facilities of the shell, you can quickly build a useful script to perform a task normally requiring a number of command lines. For example, you can create a short script, named greplog, like this:
# name: greplog
# use: mail grep of designated log using keyword
# version: v.01 08aug02
# usage: greplog [keyword] [logpathname]
# bugs: does not check for correct number of arguments
# build report name using keyword search and date log_report=/tmp/$1.logreport."date '+%m%d%y'"
# build report header with system type, hostname, date and time echo "==============================================================" \
>$log_report echo " S Y S T E M M O N I T O R L O G" >>$log_report echo uname -a >>$log_report echo "Log report for" "hostname -f" "on" "date '+%c'" >>$log_report echo "==============================================================" \
>>$log_report ; echo "" >>$log_report
# record log search start echo "Search for->" $1 "starting" "date '+%r'" >>$log_report echo "" >>$log_report
# get and save grep results of keyword ($1) from logfile ($2) grep -i $1 $2 >>$log_report
# build report footer with time echo "" >>$log_report echo "End of" $log_report at "date '+%r'" >>$log_report
# mail report to root mail -s "Log Analysis for $1" root <$log_report
# clean up and remove report rm $log_report exit 0
In this example, the script creates the variable $log_report, which will be the filename of the temporary report. The keyword ($1) and first argument on the command line is used as part of the filename, along with the current date (with perhaps a better approach to use $$ instead of the date, which will append the script's PID as a file extension). Next, the report header containing some formatted text, the output of the uname command, and the hostname and date is added to the report. The start of the search is then recorded, and any matches of the keyword in the log are added to the report. A footer containing the name of the report and the time is then added. The report is mailed to root with the search term as the subject of the message, and the temporary file is deleted.
By default, Ubuntu uses the iogwatch log monitoring command (actually a Perl script) in your system's /etc/cron.daiiy directory to generate various reports each day at 0402 (4:02 a.m.). Configure iogwatch by editing the file /etc/iog.d/iogwatch. conf. Other system monitoring tools are included, such as TRipwire. System logging can be controlled by editing /etc/sysiog.conf.
You can test the script by running it manually and feeding it a keyword and a pathname to the system log, /var/iog/messages, like this:
# grepiog FAILED /var/iog/messages
Note that your system should be running the sysiogd daemon. If any login failures have occurred on your system, the root operator might get an email message that looks like this:
S Y S T E M M O N I T O R L O G Linux stinky 2.4.22-1.2088.npti #1 Thu Oct 9 20:21:24 EDT 2003 i686 i686 i386 +GNU/Linux
Log report for stinkpad.home.org on Thu 23 Oct 2003 04:23:24 PM EDT
Search for-> FAILED starting 04:23:24 PM
Oct 23 16:23:04 stinkpad iogin: FAILED LOGIN 3 FROM (nuii) FOR bbaii, +Authentication faiiure
End of /tmp/FAILED.iogreport.102303 at 04:23:24 PM
To further automate the process, you can include command lines using the script in another script to generate a series of searches and reports.
Was this article helpful?