Everybody knows that after an incident the most useful work is to analyze the logs. This works is pretty hard and extremely long especially if you wanna read directly the generated logs from the various applications, like for example Apache, MySQL, SySLog, and so forth. So it’s useful having an interpreter tool able to generate more human readable reports from applications logs. You might find lots of these tools around the net, some of these have a nice graphical interface like “Apache Log Analyzer” for OSX
Others have just a horrible text interface but can analyze different kind of logs from many applications. Today I wanna point out LIRE, one of my favorite log Analyzer.This tool permits the creation of several reporting formats, including html, pdf, xml, .. … .. ect. ect.. It also permits to analyze many log file formats, which include MySQL, Iptables, BIND, Apache, Qmail, Postfix, Syslog and more. It has been deveploped in Perl and I recommend you to install all the dependence modules with CPAN (type “perl -M CPAN -e shell” on the command line as root).
I just wanna remember that every log found inside the compromised machine cannot be asserted as safe, because the attacker may change each entry of the log file. For this reason I suggest to implement a remote log system as SysLog. It’s native (on Linux System) easy to implement and really fast. Set up on the machine IP1 syslog (probably you will find it under /etc/init.d/syslog start or just syslog -r). Then edit the /etc/syslog.conf on the monitored machine IP2 as follow:
auth.*; authpriv.* @ip1
Last but not least remember the machine which logs must be able to receive message from the LAN, so if you’ve set up some iptables, look out.