#################################################################### Exercise: #################################################################### #################################################################### Part 1: Logfiles #################################################################### 1) go into /var/log and get familiar wih the various logfiles 2) Can you find any occurences of the pattern ssh in those files? (hint: do a grep ...) If so, what do you find? in which files? ..... 3) Take a look at /etc/syslog.conf - where are errors of the mail system being logged? 4) Find your apache web servers logs - can you see if you have had a visitor from 192.168.0.136 ? If so, what browser was he/she using? 5) Get the latest 10 lines from /var/log/messages and put them here: .... 6) Has anybody used sudo lately on your machine? #################################################################### Part 2: swatch #################################################################### 1) install swatch: #apt-get install swatch 2) before you start, verify that you machine can send mails, by doing: #mail your_adress@yourdomain.tld check that you are getting that mail! 3) edit the swatch configuration file: #vi /etc/swatchrc add a rule, checking for some keyword of your choice, and make it send an email to you, like so: watchfor /:/ echo bold red exec echo "some text for your email and a copy of what logline was found: $_ " | mail -s your_mail_subject your_adress@yourdomain.tld 4) make a little sh script to start swatch: #vi runswatch.sh and put these lines into it: -------------------- 8>< ---------------------------------------------- #!/bin/sh /usr/bin/swatch --config-file=/etc/swatchrc --script-dir=/var/tmp \ --tail-file="/var/log/messages" \ --tail-args="-n 0 -F --max-unchanged-stats=3" -------------------- 8>< ---------------------------------------------- 5) use your script to start swatch and leave it running for some time, to see if you trigger any alert 6) add a second rule to #vi /etc/swatchrc and let it trigger a mail to swatch@less.dk i m waiting for your mails! :)