Linux LOG files!

0
Today i was setting up iptables and keeping the logs file to separate files so that i can find the all alert,info easily. But writing a blog post quickly comes in my mind, in case,  any newbie want to have some basic idea about Linux logs(Trying to catch hacker? Not easy! hehe).   I am doing it on my Debian system( Later i will edit when i will do the same thing on other distro :)).
System logs are really important for storing System security, Security auditing, Debugging and other information in an specific files. These can be used for various security task , logging fake/real hackers, system issue etc.  Where the log files will be saved and what type of logs will be generated are specified in “/etc/rsyslog.conf” (Debian/Ubuntu). Here is my current configuration file :

##striped

We need configure all about the logs in this file. Usually Linux/Unix store the logs in directory “/var/log/” if it is not customized. In “/var/log” we can find all log files:

 http://pastebin.com/d0LfNFfg

Let me explain few of them:

apt                ==      Package installation and removing logs.
auth.log       ==      Authorization related logs.
debug           ==      Debugging Logs.
dmesg           ==      Dump of kernel message buffer
exim4             ==     exim4 mail server logs.
faillog            ==     Fail login attempts.
kern.log         ==    kernel level log
lastlog           ==     Last loging information.
messages      ==     Main log file.
mail.*             ==     Mail related info,alert,warning
mysql             ==     mysql log
pure-ftpd       ==     FTP logs.
syslog           ==      main log file.
 wtmp           ==      Login Records.

Well, For customization the logs we need need to know few things which should be indicated in rsyslog.conf file:

1. Facility (What?) 2. Level (info,warning,alert etc)

Facility are:

auth         == Security & Authorization.
authpriv  == Private Authorization message.
cron         == Cron Daemon.
user         == user process.
mail          == Mail related message.
ftp            == FTP related .
kern         == Kernel related messages.
lpr            == Printer logs
etc.

Level are(Depends how much you want to know):

alert    == Urgent.
crit      == Critical messages.
warning == Warning messages.
notice  == Suggest to verify!
info      == Informational Messages.
debugg== Debugging Purpose.

From the configuration file it is understandable that how the Facility and Level should be indicated. For example:

mail.info            -/var/log/mail.info

Here “mail”  is the Facility “info” is the level and

/var/log/mail.info”  is telling where to save.

 Now i am going to show some example:

 Let’s how the SSH logs look like, SSH logs usually saved in “/var/log/auth.log”:

root@logtest:/var/log#

Blank!

So i first try fail login attemp:

Now let’s see what is in auth.log:

l

The logs can be saved in other place too if we indicate in rsyslog.conf . For example i have made my own log file to save iptables logs.

If someone brute force any of the service such as ssh, ftp etc then all the fail attempt will be saved to auth.log(Be careful if you are trying to hack!:) always clean the logs file).

More:
http://en.wikipedia.org/wiki/Syslog
http://www.rsyslog.com/doc/manual.html