log files

log files

[Pittigher, Raymond - ES]

What do the users of this list use to read the log files? I have tried Spacewalk (which is nice) but is a lot of software to install to read logs. I have looked at Prewikka but do not have it totally configured yet to give it a OK or not.

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

Re: log files

[LC Bruzenak]

On Fri, 2011-06-17 at 14:15 -0400, Pittigher, Raymond - ES wrote:
> What do the users of this list use to read the log files? I have tried
> Spacewalk (which is nice) but is a lot of software to install to read
> logs. I have looked at Prewikka but do not have it totally configured
> yet to give it a OK or not.

My experiences (I assume you specifically mean the audit logs):

Prewikka would be for IDS events only with the prelude plugin.
I use the audit-viewer with pre-constructed list tabs to match events
necessary for verification testing.
For faster results when looking for specific events or investigation, I
use the command line tools aureport and ausearch.

What would be great IMHO is to have a prewikka-like web interface for
the audit events.

HTH,
LCB
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

RE: log files

[Pittigher, Raymond - ES]

_______________________________________
From: LC Bruzenak [lenny@magitekltd.com]
Sent: Friday, June 17, 2011 2:27 PM
To: Pittigher, Raymond - ES
Cc: linux-audit@redhat.com
Subject: Re: log files

On Fri, 2011-06-17 at 14:15 -0400, Pittigher, Raymond - ES wrote:
> What do the users of this list use to read the log files? I have tried
> Spacewalk (which is nice) but is a lot of software to install to read
> logs. I have looked at Prewikka but do not have it totally configured
> yet to give it a OK or not.

My experiences (I assume you specifically mean the audit logs):

Prewikka would be for IDS events only with the prelude plugin.
I use the audit-viewer with pre-constructed list tabs to match events
necessary for verification testing.
For faster results when looking for specific events or investigation, I
use the command line tools aureport and ausearch.

What would be great IMHO is to have a prewikka-like web interface for
the audit events.

HTH,
LCB
--
LC (Lenny) Bruzenak
lenny@magitekltd.com


I also used the au tools (aureport, aufind, etc) but just wanting a average user to view the bad events brings the need of a point a click interface. The people that now read the audit events for the windows servers are spoiled by the cornerbowl tool. I tossed together a little script that dumps the audit events into a array, then sorts them and dumps them out but the users want a red background for bad and so on. Before I went crazy trying to put something together I wanted to see what was out in the wild. I guess something that dumps the files into a MySQL tables would be the easiest to work with.

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

Re: log files

[Steve Grubb]

On Friday, June 17, 2011 02:15:19 PM Pittigher, Raymond - ES wrote:
> What do the users of this list use to read the log files? I have tried
> Spacewalk (which is nice) but is a lot of software to install to read
> logs. I have looked at Prewikka but do not have it totally configured yet
> to give it a OK or not.

The audit log files are intended to be read with ausearch. You can also use vi or less 
or emacs as long as you don't change anything. :)  But ausearch has more knowledge 
about the logs and can make it easier to understand. 

The aureport tool can give columnar and summary information about the logs. It can 
also take the raw output of ausearch as input if you want to do anything fancy. (See 
the http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf article about the 
audit system for examples of combining ausearch and aureport.)

Aulast can tell you about login sessions and give you command line queries to extract 
information about a particular login session. (This is newer and not available in 
older audit package releases.)

As for syslog and application log files, I'm sure there are a lot of tools.

-Steve

RE: log files

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 340 bytes --]



On Fri, 2011-06-17 at 14:32 -0400, Pittigher, Raymond - ES wrote:

> What would be great IMHO is to have a prewikka-like web interface for
> the audit events.

There is a audisp plugin for prelude:

$ repoquery -qf /sbin/audisp-prelude
audispd-plugins-0:2.1.2-1.fc16.x86_64

http://people.redhat.com/sgrubb/audit/prelude.txt

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: log files

[Pittigher, Raymond - ES]

On 06/17/2011 02:56 PM, LC Bruzenak wrote:
> On Fri, 2011-06-17 at 14:32 -0400, Pittigher, Raymond - ES wrote:
>  >
>  > I also used the au tools (aureport, aufind, etc) but just wanting a
>  > average user to view the bad events brings the need of a point a click
>  > interface.
>
> Agreed.
>
>  > The people that now read the audit events for the windows servers are
>  > spoiled by the cornerbowl tool. I tossed together a little script that
>  > dumps the audit events into a array, then sorts them and dumps them
>  > out but the users want a red background for bad and so on. Before I
>  > went crazy trying to put something together I wanted to see what was
>  > out in the wild. I guess something that dumps the files into a MySQL
>  > tables would be the easiest to work with.
>
> Then what would you use for visualization?
> This week I have been thinking about this very thing myself.
> Good to know others are as well.
>
> LCB
>
> --
> LC (Lenny) Bruzenak
> lenny@magitekltd.com
>
The plan would be to rotate the log at midnight Saturday, use the
aureport to read the file and give it some kind of format, dump the data
into a mysql database, then parse it with php on a apache server with a
firefox front end. Or something like that.

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

Re: log files

[LC Bruzenak]

On Fri, 2011-06-17 at 15:15 -0400, Pittigher, Raymond - ES wrote:
> 
> The plan would be to rotate the log at midnight Saturday, use the
> aureport to read the file and give it some kind of format, dump the data
> into a mysql database, then parse it with php on a apache server with a
> firefox front end. Or something like that. 

OK; that was my thinking as well.
Only I roll mine up each day already and move them out of the way.

I think you would likely use a custom program which used the parse libs
to extract the searchable elements from each event.

What I was wondering is if on the front end (cgi+browser-side) you had
something in mind which existed already - or if you would code it up
from scratch with the php-mysql piece?

Thx,
LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

RE: log files

[Pittigher, Raymond - ES]

From: LC Bruzenak [lenny@magitekltd.com]
Sent: Friday, June 17, 2011 3:56 PM
To: Pittigher, Raymond - ES
Cc: linux-audit@redhat.com
Subject: Re: log files

On Fri, 2011-06-17 at 15:15 -0400, Pittigher, Raymond - ES wrote:
>
> The plan would be to rotate the log at midnight Saturday, use the
> aureport to read the file and give it some kind of format, dump the data
> into a mysql database, then parse it with php on a apache server with a
> firefox front end. Or something like that.

OK; that was my thinking as well.
Only I roll mine up each day already and move them out of the way.

I think you would likely use a custom program which used the parse libs
to extract the searchable elements from each event.

What I was wondering is if on the front end (cgi+browser-side) you had
something in mind which existed already - or if you would code it up
from scratch with the php-mysql piece?

Thx,
LCB

--
LC (Lenny) Bruzenak
lenny@magitekltd.com

All I know is the PHP/MySQL stuff so that would be the plan. I only asked on the list to see if someone already started it or if something is out in the wild. The module for Spacewalk (and probably satellite) is nice and would probably use Joshua Roys's auc program to clean up the data. I have Prewikka installed on a spare RHEL5 server to test with but it seems that it needs to have something written to handle reading the audit log data. I only started to look at it and was mostly interested in Spacewalk because it is a RedHat program and would fit nicely in our RedHat shop. Using the LAMP stack would also make it easy to connect from anywhere with anything.

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.