
checksyslog README  James Abendschan  jwa@nbs.nau.edu  4  Dec 1996
Tested under Linux & Solaris w/ perl5.
  
There are at least two ways to scan your syslogs for security
problems or other errors.  One is to grep for data
you know is indicative of a problem .. "refused connect from",
"REPEATED LOGIN FAILURES", "STOR .rhosts".  This method
requires you to generate huge lists of things you think
are "suspicious behaviour" -- lists which are by their
nature incomplete; you need to know that a problem exists
in order to detect it.

The other way is to make a list of all the "normal" system
behaviour -- connections from trusted systems, ordinary
mail delivery, cron logs, named stats messages, and so on-- 
and ignore it.  Everything else is considered "out of
the ordinary" and hence should be paid close attention to.
This program attempts to do this.  I didn't come up with this idea
on my own; I'd been reading about it in the IDS list
(Intrusion Detection Systems) for some time, and finally
decided to dispense with the theory and actually write one.

There are 2 main files enclosed in this archive; checksyslog and
rules.  The checksyslog program is a perl script which reads
the rules file and displays everything that doesn't match the rules.
The rules file is simply a text file; rules are specifed as
perl regexps.  This rules file contains some simple expressions
I use; you can customize it for your own systems easily.

If you're going to install it outside of its own directory,
or if you're going to run it from cron, or if you don't
log to /var/adm/syslog, you'll want to edit the checksyslog program
and change the $log and $rules variables to point to where
the files "really" live.  You'll also want to chmod 600 your rulefile;
why give out more information than you have to?

There are two simple command line options:

	checksyslog -today

	.. only dumps what interesting things happened today (try running
        it twice a day from cron; once at noon and once at 23:58)

	checksyslog [pattern]

	.. extract [pattern] from the syslog.  This can be a date, a
	hostname, or anything else that appears in your syslog file.

With no arguments, it displays everything "interesting" that's happened
since the syslog was created.

Obviously, you should run this on your loghost.  Your other systems
should have a line in syslog.conf like

	*.debug			@my.loghost

so "Everything" gets logged to a single file; this is how I like
to do things.  If you're one of these people with 700 different
lines in your syslog.conf pointing to different files and log
levels, then feel free to modify the program to read all your
files.  My philosophy: "Log 'em all and let Grep sort 'em out."

In some cases (such as logging from Solaris to Linux), the
end of line will be padded with extra (invisible to the nekkid eye)
characters.  This will affect your usage of $ to indicate the
end-of-line in the rules file; don't be surprised if it doesn't
behave like it's supposed to :)

