The syslogd is responsible for capturing logging information generated by system processes. The klogd is responsible for capturing logging information generated by the kernel. System logs provide the primary indication of a potential problem.
• Fine-tune the default /etc/syslog.conf to send log information to specific files for easier analysis.
# Monitor authentication attempts auth.*;authpriv.* /var/log/authlog # Monitor all kernel messages kern.* /var/log/kernlog # Monitor all warning and error messages *.warn;*.err /var/log/syslog # Send a copy to remote loghost. Configure syslogd init # script to run with -r -s domain.com options on log # server. Ensure a high level of security on the log # server! *.info @loghost auth.*;authpriv.* @loghost
• Restrict access to log directory and syslog files for normal users using:
# chmod 751 /var/log /etc/logrotate.d # chmod 640 /etc/syslog.conf /etc/logrotate.conf # chmod 640 /var/log/*log