Chapter 12. System Log Management and Monitoring
Whatever else you do to secure a Linux system, it must have
comprehensive, accurate, and carefully watched logs. Logs serve
several purposes. First, they help to troubleshoot all kinds of
system and application problems. Second, they provide valuable early
warning signs of system abuse. Third, after all else fails (whether
that means a system crash or a system compromise), logs can provide
us with crucial forensic data. This chapter is about making sure your system processes and critical
applications log the events and states you're
interested in and dealing with this data once it's
been logged. The two logging tools we'll cover are
syslog and the more powerful Syslog-ng ("syslog new
generation"). In the monitoring arena,
we'll discuss Swatch
(the Simple Watcher), a powerful Perl script that monitors logs in
real time and takes action on specified events, plus a few
"offline" log-reporting tools. |