|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Tracking all activity on an interface
From: Gene R. Gomez (ggomez
VERANCE.COM)Date: Wed Sep 20 2000 - 12:25:32 CDT
- Next message: Infrastructure Dept.: "Re: Monitoring traffic under Apache ?"
- Previous message: Ryan Permeh: "Re: Possible root kit?"
- Maybe in reply to: Jack Palmadesso: "Tracking all activity on an interface"
- Next in thread: Tyrone Mills: "Re: Tracking all activity on an interface"
- Maybe reply: Gene R. Gomez: "Re: Tracking all activity on an interface"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hmmm...taking this a little further, I've got a transparent cacheing proxy
server here that I wanted to view real-time logs for. This is a similar
task; here's what I did.
Took a look at required permissions to look at the file...in this case user
and group were both "squid".
Created a new user called "cachemonitor". (In your case, you can use
securitymonitor, or whatever)
Created a script called "cachemon" in the /usr/bin/ directory that just
looked like:
#!/bin/sh
#
tail -f /var/log/squid/access.log
Finally, I modified /etc/passwd to have "cachemonitor" have the same uid and
gid as the squid user and group, and set the login shell to
/usr/bin/cachemon.
Now, after my machine boots I switch to the 2nd virtual console, log in as
cachemonitor, and I get a real-time read-out of what my users are doing
(this is only reasonable because I've got a relatively low amount of
users...80 or so).
The added bonus is that if anyone happens across the console and presses
CTRL-C, it just logs cachemonitor out. No biggie. Plus, my "real" console
(the 1st virtual console) is unaffected by the functioning of the system.
To improve this (and something I haven't tried to figure out yet), I'd like
to have the cachemonitor user log in IMMEDIATELY upon boot-up on the 2nd
virtual console. Anyone done this before?
-Gene
-----Original Message-----
From: Paul Kincaid [mailto:pkincaidSC.WAREONEARTH.COM]
Sent: Tuesday, September 19, 2000 12:11 PM
To: FOCUS-LINUXSECURITYFOCUS.COM
Subject: Re: Tracking all activity on an interface
A couple other ways to see the logs real time:
1) when you first log in, do a "tail -f /var/log/messages &" and that will
print the logs to the console as they are entered into the log file.
2) within syslog.conf, log *.* to /dev/console.
Both of these can become tiring, when you are typing a long command sequence
and a log file entry comes across -- it'll print it right where you are
working... I only use number 1 when I need to see the logs in real time and
leave the /dev/console entry to the emergency logs.
Hope this helps,
Paul
- Next message: Infrastructure Dept.: "Re: Monitoring traffic under Apache ?"
- Previous message: Ryan Permeh: "Re: Possible root kit?"
- Maybe in reply to: Jack Palmadesso: "Tracking all activity on an interface"
- Next in thread: Tyrone Mills: "Re: Tracking all activity on an interface"
- Maybe reply: Gene R. Gomez: "Re: Tracking all activity on an interface"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]