Securing Your Web Server - Syslog con

(Page 2 of 4 )

 

Although the default configuration is acceptable, the /etc/syslog.conf file is still worth exploring, as you’ll see in Example4-2.

Example 4-2. The /etc/syslog.conf file

# /etc/syslog.conf    Configuration file for syslogd.
#
#                     For more information see syslog.conf(5)
#                     manpage.

#
# First some standard logfiles.  Log by facility .
#

auth.info,authpriv.*       /var/log/auth.log
*.*;auth,authpriv.none   -/var/log/syslog
#cron.*                  /var/log/cron.log
daemon.*                -/var/log/daemon.log
kern.*                  -/var/log/kern.log
lpr.*                   -/var/log/lpr.log
mail.*                  -/var/log/mail.log
user.*                  -/var/log/user.log
uucp.*                  /var/log/uucp.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info             -/var/log/mail.info mail.warn             -/var/log/mail.warn mail.err              /var/log/mail.err

# Logging for INN news system
#
news.crit          /var/log/news/news.crit news.err           /var/log/news/news.err news.notice       -/var/log/news/news.notice

#
# Some `catch-all' logfiles.

#
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none  -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none    -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         *

#
# I like to have messages displayed on the console, but only
#on a virtual console that I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn      /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility. To
#use it, you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have
a reasonably
#      busy site..
#
daemon.*;mail.*;\
        news.crit;news.err;news.notice;\
        *.=debug;*.=info;\
        *.=notice;*.=warn    |/dev/xconsole

At the very least, the auth facility should have a priority of info or higher:

  auth.info      /var/log/auth.log

Disk space is cheap, so capturing everything is not completely out of the question:

  *.*         /var/log/all_messages

Decide what is important to you and run with it.

Logs mean nothing unless you do something with them. They must be processed, monitored, and reviewed. Sometimes logs are all that you have after an attack—if you’re lucky, and the attacker didn’t destroy or alter them.

With that in mind, decide for what things it is worth interrupting din ner, and which ones can go unnoticed.

Next: Process accounting >>
 

More JavaScript Articles
More By O'Reilly Media

Comments On: Securing Your Web Server

· This article is an excerpt from the book "Securing Ajax Applications: Ensuring the...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter four of Securing Ajax Applications: Ensuring the Safety of the Dynamic Web, written by Christopher Wells (O'Reilly, 2007; ISBN: 0596529317). Check it out today at your favorite bookstore. Buy this book now.