|
|
17. Monitor logsTo understand better what is
happening on your system, we recommend that you check your logs often.
Look for unusual entries. See
what is happening at 2AM when there is not supposed to be anyone on your system.
If you see something, make sure you know what is and why it is running at
2AM. Here's a list of logs that can
be helpful and that should be checked on a regular basis. System log and console
messages – This is the primary system log.
Most daemons log to this file. Vendors
keep it in different places. On
Solaris, it’s /var/adm/messages. The ‘last’ log – The
‘last’ command will list out who has logged into your system lately.
If you’d like to keep old logs, we recommend that you have a cron job
that copies them to tape or somewhere safe. Sendmail log –
Sendmail keeps it’s log of incoming and outgoing mail in /var/log/syslog.
Check it to see how Sendmail is running and also to see if you are
getting spammed. Look for bogus
mail and be sure that you relay your mail to ASU’s official post office –
not some other machine that could steal your mail.
See the section above for more information about Sendmail. Audit Trails –In some cases, the system can create an audit trail of password usage and changes. Also, the history log of what users type can usually be found in the .history file in the user home directory. If you’d like to se what a user has been up to lately, look at their .history file. Users can delete or tamper with this file, so don’t believe everything you see. Sar – The sar set of utilities on Unix can be turned on to help monitor system usage. This includes counts of how many times a user executes a program and how often particular programs are executed and by whom. Sar is also the mail tool for getting statistical reports in things like memory, CPU and swap usage. For more information on sar, check out a good Unix book or see the man pages. |
|