After having nightmares preying on my fears of the unlikely case of my online unstable box compromised I thought I would take a look at Epylog after Walter’s post.
It does not seem to have a debian package so I applied alien to convert rpm to deb and checked its contents, then installed the package. So far, so good.
Edited quite a few files to get it working for my debian system. RH’s secure to auth.log and maillog to mail.log, and in the process I became familiar with the configuration files.
What a mess.
Python type syntax here, config.ini style there and XML stuff throw in for good measure. Sweet baby J. What ever happened to one line files like passwd? Compromise: please use python syntax!
The HTML log files it generates could be much better. Not sure what templating engine they’ve decided to use. Seemingly not htmltmpl which I have bothered to learn. :/
Urgh, I can’t be arsed to log iptables traffic.
When you run epylog, the console output is quite cool (esp. the parsing bit):
bilbo$ sudo /usr/sbin/epylog Invoking: "Initializing epylog"... Initializing epylog...done Invoking: "Restoring log offsets"... Restoring log offsets...done Invoking the module execution routines: Invoking: "Processing internal modules"... /var/log/auth.log[.#]: [ 20 of 204 lines parsed ] /var/log/messages[.#]: [ 2 of 430 lines parsed ] /var/log/mail.log[.#]: [ 113 of 470 lines parsed ] Telling all threads to quit Waiting for threads to finish: [ all threads done ] Invoking: "Finished all matching, now finalizing"... Invoking: "Finalizing "Logins""... Finalizing "Logins"...done Invoking: "Finalizing "Packet Filter""... Finalizing "Packet Filter"...done Invoking: "Finalizing "Mail Report""... Finalizing "Mail Report"...done Invoking: "Finalizing "Notices""... Finalizing "Notices"...done Invoking: "Finalizing "Spamassassin""... Finalizing "Spamassassin"...done Invoking: "Finalizing "Weedeater""... Finalizing "Weedeater"...done (Hanging from "Finished all matching, now finalizing")....done (Hanging from "Processing internal modules")....done Finished processing modules Invoking: "Making the report"... Making the report...done Invoking: "Publishing the report"... Report saved in: /web/log.natalian.org/2004-Aug-16_Mon Notification mailed to: email@example.com Gzipping 2324.log: [ gzipped down to 13538 bytes ] Gzipped logs saved in: /web/log.natalian.org/2004-Aug-16_Mon (Hanging from "Publishing the report")....done Invoking: "Cleaning up"... Cleaning up...done
Although it would be better if it just gave me the report on the console.
If I was a paid sysadmin I would defn. contribute to this project. There is lots to do. I would like a simple network traffic breakdown. I tried cacti with SNMP and RRDtool or something sometime ago. Nightmare.
I’ll run epylog cron jobs for a few days before I remove it…
Is a service to check what ports are open on my machine (from the outside)? I am not allowed to run nmap from school and I am using putty from my landlord’s Win98 machine.