[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] Logfile monitoring - I'd like some comments



On Tue, Feb 14, 2006 at 11:43:20PM -0700, Charles Jones wrote:
> 
> How will it handle monitoring files that get rotated out?  For example 
> if the hobbit client is monitoring /var/log/messages, and a cron rotate 
> script moves messages to messages.1 and gzips it, will the hobbit client 
> be smart enough to reseek to the end of the newly created file?

Log rotation is difficult to handle - I just wrote about it in another
reply. In the scenario you describe, Hobbit would miss those log
messages that were made between the last client run and the log
rotation - so normally, that would only be log-entries for a few minutes
(since the client runs every 5 minutes).

Hobbit does notice that the log was rotated, and starts sending the
entries that go into the new logfile.

> *** Partially off-topic ***
> While looking at another groups monitoring setup, they were using a 
> program called ****** (name doesnt matter), which I found to be inferior 
> to Hobbit, but it did have one nice feature, which was the ability to 
> test the checksum of a list of files, and send an alert if the file 
> changed (default examples were /etc/passwd, /vmlinuz, 
> /etc/syslog.conf).  I suppose this functionality could be achieved via a 
> client-side external script, but I mention it here because it might be 
> easy to add in now while you are working on the file scanning code :)

I think this is better handled by some of the host-based IDS systems
that are out there - like Tripwire, or the open-source equivalent AIDE.
That's what they are designed to do, and they have much more advanced
techniques of checking that the file contents doesn't change (multiple
hashes, checking of file meta-data etc.)


Regards,
Henrik