Keeping track of the log files on a Linux box is among the best ways of ensuring that all is well and intruders are not playing havoc with a network. It is also the most mind-numbingly dull job in the world that soon enough consumes the greater part of your life. Also, humans are fallible and ensuring that everything of importance has been picked up is a dodgy science.
Humans are fallible and ensuring that everything of importance has been picked up is a dodgy science.
Alastair Otter, Journalist, ITWeb
Last week I looked at some of the open source intrusion detection and monitoring tools available that make for a good start in protecting a Linux network. Among those tools was a log-monitoring tool, which makes the whole process of monitoring activity as easy as possible.
One tool that I didn`t mention is something called Swatch. In many ways it does what a lot of other tools can do, but its highly configurable nature makes it one of my favourite tools for the job of monitoring log files.
Written in Perl, Swatch monitors log files as they are written and looks for pre-defined patterns. When noteworthy items are found, Swatch takes any actions the administrator has told it to take. The most likely action is to mail the administrator with details of the activity, although any other action could be defined.
Getting started
Setting up Swatch is simple enough if you have a working knowledge of regular expressions because the core of the application is based on a single resource file, .swatchrc. This file usually resides in the home directory and contains all the regular expressions that must be checked for.
An example is the Apache log file. If you`re running the Apache Web server and someone is trying to enter long file names in an effort to force a buffer overflow, for example, the error file will throw up something along the lines of "File name too long". If this expression is included in the .swatchrc file then it will log all activity that throws up this command. All that is required in the .swatchrc file is a simple "watch for /file name too long/" line. Once this type of error is noted, a predefined action will be taken. This could be the "mail" command but it could just as well be an "exec" command to launch a script or application or even a console-based sound and visual alert.
Each .swatchrc file watches a single log file. However, there is no reason that multiple versions of Swatch can`t be run, each with their own log files. By simply renaming the .swatchrc file to something along the lines of .swatch.htaccess, for example, two log files can be covered.
What I`ve outlined here barely scratches the surface of the Swatch application but it does give something of an idea of what the tool is capable of. Once you`ve got your head around the basics, there are almost limitless applications, particularly because Swatch is based on regular expressions. So, for example, single actions can be triggered by different error messages by using a combination of expressions such as "rejected | failed" which will pick up any lines with either of these and then take action.
Getting deeper into Swatch will require doing a bit of online reading and a close study of the "man pages". But as a security tool, Swatch makes the job a whole lot simpler.
Share