Logwatch: Taking the pain out of log analysis

More security tools Visit our resource center for news, tips and expert advice on how to install and use open source security tools  in your organization.  Visit our Security IT Download section and review other viable freeware tools.

Each month, the editor of our downloads section recommends the security freeware that he finds most valuable. This month, Scott Sidel reviews the benefits of Logwatch.

If you've been searching for a tool to help simplify your security log analysis process consider, Logwatch. This powerful tool specifies which events are important to you, and then scans the log files and reports on those key events. It can parse through systems and application log files, and its output is easily customizable by modifying variables in the /etc/logwatch/conf directory. Additionally, Logwatch comes with many pre-written log parsing PERL scripts.

Logwatch ships as a standard part of several Linux systems and is also downloadable as a binary RPM or as source. While it runs on Unix/Linux, it can analyze logs from nearly any system. Simply create a log repository via syslog (exported Windows logs can be read and examined too) and Logwatch can read logs originating from multiple appliances and systems.

Why it's a cool tool
The value of logs is proportionate to the amount of review they get, so the more often they are reviewed, the more likely it is that critical security events will be noticed. But no one can review logs for very long without their eyes glazing over and brain lock occurring. Logwatch saves you from such brain drain. All you need to do is come up with a list of what you are looking for and then automate the "looking" process with Logwatch.

Additionally, Logwatch can help fill in the information gap if you can't afford an expensive security event management correlation engine. For example, Logwatch can email a report on brute force login attempts, like this:

anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)

This beats looking through systems logs manually to discover how many failed login attempts are occurring.

About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to SearchSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Application and Platform Security,   Open Source Security Tools and Applications,   Security Event Management,   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Scott Sidel's Downloads,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Open Source Security Tools and Applications Screencast: Find rogue wireless acess points with Vistumbler Screencasts: On-screen demonstrations of security tools H.D. Moore on future of Metasploit attack platform H.D. Moore speaks about Metasploit Project deal, Release 3.3 Screencast: How to launch an OpenVAS scan Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 SSH key compromise shuts down Apache website Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Security Event Management Network traffic collection, analysis helps prevent data breaches Best Security Information and Event Management Products Understanding PCI DSS compliance requirements for log management Data breach notification legislation: What info must be released? How to prevent a denial-of-service (DoS) attack Mature SIMs do more than log aggregation and correlation The top 5 network security practices SIMs tools and tactics for business intelligence SIEM: Not for small business, nor the faint of heart Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring? Scott Sidel's Downloads Use BotHunter for botnet detection Review system event logs with Splunk FISMA compliance made easier with OpenFISMA Ophcrack: Password cracking made easy Enigmail: Wrapping email in a digital security blanket Secure file copying with WinSCP FreeRADIUS: Acing a secure connection Spiceworks: Free network monitoring and management with a little zest VirusTotal: On-demand antivirus service scans malicious files Shining a spotlight on rootkits RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.