16. Loadable Module: Log Monitoring (IDM_log_monitoring.pm)

16.1. What and How

This module monitors configured syslog-related files (usually, /var/log/*; also /var/adm/*, for Solaris) for deleted entries. These might indicate the presence of an intruder.

A supporting script or utility is required, by some means, to keep an up-to-date copy of configured logs in a private, local directory. (TO-DO: make use of remote logs on a dedicated log-server instead.) This copy is compared to the original (e.g., in /var/log). Differences are logged.

16.2. Miscellaneous Points of Note

• Log-rotation of syslogs (in /var/log) should be set NOT to compress Cheesewire-monitored logs (TO-DO: handle compressed logs).
  
  
• This module should not be configured to monitor its own logs as a feedback situation could result. (By default, Log.pm logs to local7; this facility should not be copied, via syslog[-ng] to e.g., /var/log/messages, or any files monitored by this module.)

16.3. Supporting Script

A supporting script, <sids_root>/src/Scripts/taillogfile, is provided which uses the CPAN module File::Tail to effectively "tail -f" configured syslog[-ng] destinations (e.g., /var/log/messages and /var/log/iptables).

This script must be configured and started before the main Cheeswire application.

16.4. Configuration

usees Modules_Config.pm to determine which syslog[-ng] destinations to tail, though some "manual" configuration is still required (TO-DO: fix this).