Epylog

After having nightmares preying on my fears of the unlikely case of my online unstable box compromised I thought I would take a look at Epylog after Walter’s post.

It does not seem to have a debian package so I applied alien to convert rpm to deb and checked its contents, then installed the package. So far, so good.

Edited quite a few files to get it working for my debian system. RH’s secure to auth.log and maillog to mail.log, and in the process I became familiar with the configuration files.

What a mess.

Python type syntax here, config.ini style there and XML stuff throw in for good measure. Sweet baby J. What ever happened to one line files like passwd? Compromise: please use python syntax!

The HTML log files it generates could be much better. Not sure what templating engine they’ve decided to use. Seemingly not htmltmpl which I have bothered to learn. :/

Urgh, I can’t be arsed to log iptables traffic.

When you run epylog, the console output is quite cool (esp. the parsing bit):

bilbo$ sudo /usr/sbin/epylog
Invoking: "Initializing epylog"...
Initializing epylog...done
Invoking: "Restoring log offsets"...
Restoring log offsets...done
Invoking the module execution routines:
Invoking: "Processing internal modules"...
  /var/log/auth.log[.#]: [       20 of 204 lines parsed      ]
  /var/log/messages[.#]: [       2 of 430 lines parsed       ]
  /var/log/mail.log[.#]: [      113 of 470 lines parsed      ]
  Telling all threads to quit
  Waiting for threads to finish: [      all threads done     ]
  Invoking: "Finished all matching, now finalizing"...
    Invoking: "Finalizing "Logins""...
    Finalizing "Logins"...done
    Invoking: "Finalizing "Packet Filter""...
    Finalizing "Packet Filter"...done
    Invoking: "Finalizing "Mail Report""...
    Finalizing "Mail Report"...done
    Invoking: "Finalizing "Notices""...
    Finalizing "Notices"...done
    Invoking: "Finalizing "Spamassassin""...
    Finalizing "Spamassassin"...done
    Invoking: "Finalizing "Weedeater""...
    Finalizing "Weedeater"...done
  (Hanging from "Finished all matching, now finalizing")....done
(Hanging from "Processing internal modules")....done
Finished processing modules
Invoking: "Making the report"...
Making the report...done
Invoking: "Publishing the report"...
  Report saved in: /web/log.natalian.org/2004-Aug-16_Mon
  Notification mailed to: epylog@natalian.org
  Gzipping 2324.log: [      gzipped down to 13538 bytes      ]
  Gzipped logs saved in: /web/log.natalian.org/2004-Aug-16_Mon
(Hanging from "Publishing the report")....done
Invoking: "Cleaning up"...
Cleaning up...done

Although it would be better if it just gave me the report on the console.

If I was a paid sysadmin I would defn. contribute to this project. There is lots to do. I would like a simple network traffic breakdown. I tried cacti with SNMP and RRDtool or something sometime ago. Nightmare.

I’ll run epylog cron jobs for a few days before I remove it…

Is a service to check what ports are open on my machine (from the outside)? I am not allowed to run nmap from school and I am using putty from my landlord’s Win98 machine.

Advertisement

If you like this, you might like the stateless Web kiosk software I develop. Webconverger typically replaces Windows on PCs and is deployed in public and business environments for ease of deployment and privacy. Once installed it auto-updates making it painless to maintain. Try it where you exclusively use the only viable open platform... the Web!