Whatever else you do to secure a Linux system, it must have comprehensive, accurate, and carefully watched logs. Logs serve several purposes. First, they help us troubleshoot virtually all kinds of system and application problems. Second, they provide valuable early-warning signs of system abuse. Third, after all else fails (whether that means a system crash or a system compromise), logs can provide us with crucial forensic data.
This chapter is about making sure your system processes and critical applications log the events and states you’re interested in and dealing with this data once it’s been logged. The two logging tools we’ll cover are syslog and the more powerful Syslog-ng (“syslog new generation”). In the monitoring arena, we’ll discuss Swatch (the Simple Watcher), a powerful Perl script that monitors logs in real time and takes action on specified events.