If you've been searching for a tool to help simplify your security log analysis process consider, Logwatch. This powerful tool specifies which events are important to you, and then scans the log files and reports on those key events. It can parse through systems and application log files, and its output is easily customizable by modifying variables in the /etc/logwatch/conf directory. Additionally, Logwatch comes with many pre-written log parsing PERL scripts.
Logwatch ships as a standard part of several Linux systems and is also downloadable as a binary RPM or as source. While it runs on Unix/Linux, it can analyze logs from nearly any system. Simply create a log repository via syslog (exported Windows logs can be read and examined too) and Logwatch can read logs originating from multiple appliances and systems.
Why it's a cool tool
The value of logs is proportionate to the amount of review they get, so the more often they are reviewed, the more likely it is that critical security events will be noticed. But no one can review logs for very long without their eyes glazing over and brain lock occurring. Logwatch saves you from such brain drain. All you need to do is come up with a list of what you are looking for and then automate the "looking" process with Logwatch.
Additionally, Logwatch can help fill in the information gap if you can't afford an expensive security event management correlation engine. For example, Logwatch can email a report on brute force login attempts, like this:
anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)
This beats looking through systems logs manually to discover how many failed login attempts are occurring.
About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to SearchSecurity.com.
This was first published in September 2006