Logfile monitoring

Recently I checked my syslog files and realized, that brute-force attacks on various system services increased lately. So I went, again, on the quest for a log analyzer tool.The first option was to reactivate an old installation of swatch again. Somehow I couldn’t really relate to that idea. After all, it’s in perl 😦

I googled around a bit and found logsurf. Promising: it supersedes perl, and supported contexts.

It is important for effective logfile scanning, that actions depend on several lines. You don’t want to block yourself if you mistype your password once, do you?

Unfortunately, the termination rules for contexts weren’t very flexible, and it wasn’t possible to start a context, not act on it if it expires, but upon repetetion of a matching pattern, act as desired. Or I missed the syntax. Anyway, it didn’t fit me.

After more googling, I found sec.pl, the simple event correlator. It has a lot of extremely helpful options, including multi-file input, automatic re-seek upon logfile turnover (without requiring some signals), even keeping context across logfile turnovers, thresholds, piping to external programs, wonderful. Only, it is implemented in dreadful… perl.

After some shivering I fired it up in test mode, and guess what, no missing modules, no weird error messages, no unusable CPAN commands, it just worked! And did exactly what I needed and what it promised to do! Wonderful.

Testing around and hacking a small blocking script I now detect brute force attempts on sshd and pure-ftpd, and respond to it by blocking the offending IP address for any further communication with my home server.

In fact, I was so happy, that I also fired up scanlogd and now also get alerted by scan attempts. All in a few minutes.

Summary: sec.pl is a wonderful, small, powerful, (non-intuitive), perl-based event correlation program for comprehensive logfile evaluation.

Advertisements
Both comments and trackbacks are currently closed.
%d Bloggern gefällt das: