Title: logcheck
Author: Craig H. Rowland <crowland@psionic.com>
License: See LICENSE file.
Warranty: Money back guarantee. Not responsible for any consequences from use!!


Abstract

Logcheck is software package that is designed to automatically run and check 
system log files for security violations and unusual activity. Logcheck 
utilizes a program called logtail that remembers the last position it read 
from in a log file and uses this position on subsequent runs to process new 
information. All source code is available for review and the implementation 
was kept simple to avoid problems. This package is a clone of the 
frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm) 
firewall package. TIS has granted permission for me to clone this package.


Purpose

It bothers me to read stories of system administrators who have had a 
break-in realize it too late and report "Well I checked the logs from two 
weeks ago and found such and such had happened..." or "We've never had 
problems on that system before so we never bothered to check the logs.."

Auditing and logging system events is important! What is more important is 
that system administrators be aware of these events so they can prevent 
problems that will inevitably occur if you have a system connected to the 
Internet.

What is great about Unix is that virtually all modern implementations support 
the syslog(8) facility to report, and quite extensively if configured 
and supported correctly, virtually all happenings good or bad on the host 
system. This allows the creation of an audit trail that can be used very 
effectively to subvert potential attacks and alert system administrators 
that action should be taken.

Unfortunately for most Unices (and Windows NT <ahem>) it doesn't matter how 
much you log activity if nobody ever checks the logs which is often the case.
This is where logcheck will help. Logcheck automates the auditing process 
and weeds out "normal" log information to give you a condensed look at 
problems and potential troublemakers mailed to wherever you please.

So you ask: There are other programs out there that do the same thing,
why do I need this one?

Well I say try the other ones and see which one fits your needs. There are 
many out there that are very good (i.e. swatch), and they all come at a 
great price (free). 

This package has some features though that may be easier for you to use 
because it doesn't require a constantly running program and can mail all 
findings from many systems back to a single location. Additionally, it 
reports any unusual system messages that you may not have seen before, a 
distinct advantage as it is often impossible to know every possible syslog 
message that may come into the logs from the daemons. 

Design

Logcheck is based upon a log checking program called frequentcheck.sh featured 
in the Gauntlet(tm) firewall package by Trusted Information Systems Inc. 
(http://www.tis.com). The logcheck shell script and logtail.c program have been
completely re-written from scratch and is implemented in a slightly 
different manner to accommodate for two methods of log file auditing:

1) By reporting everything you tell it to specifically look for via keywords.

2) By reporting everything you didn't tell it to ignore via keywords.

This ensures that important messages are specifically brought to your 
attention (via the keywords you look for) and that important messages that 
you may have overlooked are also reported (by only ignoring items you tell 
it to). The original frequentcheck.sh script was implemented in a somewhat 
similar manner.

The script is a simple shell programming model and the logtail.c program 
uses basic ANSI C compatible functions with comments and easy to follow 
source. Unusual tricks and "golly-gee" features have been left out to 
prevent problems.

The logcheck script should be run at least hourly on your hosts from the 
cron daemon. This script will check files for unusual activity through the 
use of simple grep(1) commands and will mail all findings (if any) to the 
administrator. If nothing is found you'll receive no mail. 

System Information

This program comes with default keyword filter files tuned for the firewall 
toolkit by TIS and systems running Wietse Venema's TCP Wrapper package 
(Which ALL systems should be running IMHO). This program is also very 
BSDish so you may have to tune it a little if you are running something 
other than a BSD variant (as if there are any other types of unix ;) ). 
I've tested the program extensively on BSDI 2.x, Linux, HPUX 10.x and
FreeBSD 2.x without any hassles or major explosions of any type (although 
on HPUX you may need to get a real compiler and not that braindead piece
of garbage that ships with it).

I am _always_ looking for comments and suggestions. Additionally if you 
have a keyword file you find is nicely tuned for your version 
of Unix (IRIX, AIX, HP, Solaris,  etc. ) please send it to me for 
inclusion in any subsequent updates. Basic keyword files that work well 
for BSDI 2.x, FreeBSD, HPUX, Solaris, SunOS and Linux are included.

PLEASE read the INSTALL file for proper installation procedures and other 
tips. If you have any questions, comments, flames, then please e-mail me at 
crowland@psionic.com

Thanks,

Craig Rowland
crowland@psionic.com