logit: A Log File Manager

Tim Mayfield

There is a beautiful pond and wetlands preserve near my children's day-care center. Recently I heard someone call it an attractive nuisance; its pretty but it represents a danger to the kids. System log files are similar to the pond. They are nice to look at because they let you monitor the status of your systems, and watch for attacks from the outside. But they can be a nuisance, too. They are tiresome to sift through and if left unchecked they can grow without bounds.

Until recently, the engineering portion of my company's network was completely private. Only the most limited outside communications were allowed. So my need to monitor system logs for outside attacks was nonexistent. Now we have engineers telecommuting, and soon our licensees will be collaborating with us on new designs electronically. Shortly after installing our first ISDN router, I found the copious accounting information it generated intolerable. But I couldn't justify turning its logging feature off. The potential for information regarding attacks hiding in the log was impossible to ignore. Unfortunately, not only did I not have time everyday to monitor the syslog file, I couldn't always remember to do it when I did have time.

That's when I wrote logit (Listing 1). logit is a simple shell script that "ages" any system accounting or log files. logit ages log files by nightly renaming the current day's file to add an extension, e.g., syslog would become syslog.1. At the same time, extensions from previously aged files are incremented. Thus syslog.1 becomes syslog.2, and syslog.2 becomes syslog.3, etc.

After a log file becomes n days old, it is purged (see Listing 1). Thus, any file specified in the variable LOGFILE will be aged until OLD, and then removed from the system. Here I keep log files around for a week (see Listing 2). Each aged file is named with the .n extension displaying its current age. syslog.6 is the oldest syslog file and will be purged next. The syslog file with no extension is the current file in use by the system. After aging, logit uses kill to force syslogd to re-read its configuration file. This is necessary after the current file has been aged. Without the kill, messages will go to syslog.1 instead of syslog. I fire logit nightly by cron.

Aging the syslog file and purging the oldest each night ensures that syslog will not grow to unlimited proportions. Unfortunately, it does not guarantee I'll remember to look at the log, or find the right information buried in it. To help me do that, logit uses mailx to send me an e-mail containing either the entire contents of the log, or just the interesting portions. This way, when I have time to check my mail, I can quickly verify system status and look for the bad guys. If I see something suspicious, I can go to any of this week's logs for more information.

The for loop and the two mailx commands reference two log files, syslog and isdn.log. When I first turned on accounting at our ISDN router, syslogd sent the data to /usr/adm/syslog. But I wanted the ISDN information split from all the other data that finds itself in the syslog. By modifying /etc/syslog.conf, I rerouted the ISDN information to its own destination. (For a brief discussion of syslog.conf, see the sidebar.)

The mailx commands at the bottom of logit route the log information to root. The first sends all the contents of /usr/adm/syslog. The second sends only the lines containing "Security Error" in the /usr/adm/isdn.log file. Obviously, there is room for customization here. Depending on your environment, you can use file aging and/or mailx on all sorts of files. In addition to monitoring log files, I use file aging and mailx to inform me of my disk-server status and last night's backup results. Now my biggest nuisance is remembering to read my e-mail.

About the Author

Tim Mayfield is the CAD/CAM Manager at ESCO Corporation in Portland, Oregon. He has used CAD/CAM for mechanical design and analysis for ten years, and has administered UNIX systems for the past five. Tim holds a BS in Mechanical Engineering from Portland State University. He can be reached electronically at tlm@teleport.com.