2

Good morning/afternoon/evening everyone, I am looking into what files I should consistently back up externally from my machine to be able to monitor for any unusual activity. I would look at the files regularly but also if my machine is in a bad state when I come in, I would like to be able to look at the backed-up logs and determine any system intrusions/logins/failed logins, etc (yes this is "if" the attacker did not modify the files to be misleading themselves). I also chose to monitor cron-tasks (I have backup scripts etc) to ensure nothing went wrong there.

As my list targets Linux specifically, maybe this post would be more beneficial if other OS's were included and the Title changed to just "Log files to backup and review for security". If someone would like me to I will go ahead and accomplish that in order to have this post better suit the community at large.

So far the list I have accumulated is

/var/log/audit

  • Monitor default audit rules/custom audit rules

/var/log/messages

  • Not entirely sure if I would be able to glean any intrusions/modification from this but this would give me an idea of the system state on start-up

/var/log/secure & /var/log/wtmp

  • Authentication attempts/fails

/var/log/cron

  • Monitors cron-jobs

"/var/log/httpd/ssl_error_log*" & "/var/log/httpd/ssl_access_log*"

  • Access and error log for webpage (not sure if this would help holding onto these...but it could give an insight if a random IP kept hitting my webpage. Wouldn't prove anything but might warn?)

What other files does the security community recommend? Of course there is always the default (entire /var/log directory answer)...but obviously this will capture a lot of data that is not needed. (nor wanted...I want to keep the essentials (size constraints, not an Xorg debugger, etc).

IT_User
  • 212
  • 1
  • 9
  • Perhaps the underlying question isn't "which files to back up?" but, rather, "which files to review?". Is the desire really to identify a particular set of files that should be considered "non-negotiable" in terms of log review practices for any world-facing server? This set would be the one one should consider irrespective of the nuances associated with the particular use(s) (particular business applications, etc.) of the server – dat Apr 14 '22 at 17:11

1 Answers1

2

You should back up all files, not just ones you think look important.

Don't back up individual files either. Instead, have your syslog daemon send a copy remotely to your backup server in real time. Most syslog daemons support this, and the good ones even support sending it over an encrypted channel. If that is not supported, you can always set up an encrypted tunnel with stunnel, or transmit it over a VPN's virtual interface to the target. It's easy to do with various sysloggers like rsyslog, journald, or syslog-ng.

forest
  • 64,616
  • 20
  • 206
  • 257