Logging

To limit the maximum size that journals may use on the system, define the setting SystemMaxUse in /etc/systemd/journald.conf. Save the file, confirm that the settings are correct, then restart the journal daemon. Configuration Open /etc/systemd/journald.conf, copy the commented line, remove the hash, and assign it a value. SystemMaxUse=256M Note: depending on how many events happen on a system, this value might be too small. Make sure that the size for logs is big enough.

The journalctl command can show all events related to the kernel itself usig the --dmesg option. This option will filter out kernel messages and has a similar output as the dmesg command. Usage Use the full or shorter option to query the kernel messages. journalctl -k Looking for only the kernel messages of today? Combine it with the --since= option. journalctl -k -S "today"

Nginx is flexible when it comes to what should be logged in the access.log. With the combination of a map and if-statement, this can be achieved very easily!" Log only some events by HTTP status Creating a map using $status The $status variable contains the HTTP status code that is normally returned to each request. We can leverage this status code to set a so-called boolean (true/false, or 1/0). Let’s define first the map and use the HTTP status.

A.1.2.d Verify that viewing of log entries is restricted to the owning entity. To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others. Search related log files By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which are world readable, by using find.

Logging commands on Linux with Snoopy Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands. How it works Snoopy is a wrapper around the execve() function.

This guide is to help our users of the Lynis Enterprise Suite to configure a central node to receive Linux audit events. It provides some pointers on how to do a quick set-up, to store and forward events. This information is very valuable for forensic investigations and intrusion detection. Configure the server First start by configuring the server. Since this is a central log host, it should have enough disk capacity and enough bandwidth to sustain peaks.