Checking your logs
Syslogd is the daemon that controls all the system logging and its default
configuration file is the /etc/syslog.conf. If you dont have this file
(in your Unix system), you probably have a problem (unless using other
kind of log daemon).
Generally, when a "cracker" compromise a system, the first thing that
he wants to do is to hide himself. The easiest way is deleting the logs
or modifying its entries. Because of that, Rootcheck executes a lot of
checks to ensure the integrity of your /etc/syslog.conf and other
log files specified there.
/etc/syslog.conf doesnt exist!
You must have the /etc/syslog.conf in your system. If you are not
using another kind of log daemon, and you really dont have the syslog.conf,
you are in a trouble.
Log configured to send to /dev/null!
If you have any syslog.conf entry to /dev/null, i`m almost sure that someone
broke your system. Only a intruder would redirect your logs to the "system
Log configured to send to a remote syslog!
It`s a good pratice to have a logserver to analyse all logs. This entry
doenst mean that your system is compromised. Its only an advice showing
to where your logs are going on (check to see if that IP is a valid).
Log file does not exist!
If any of the log files specified on /etc/syslog.conf does not exist, you are
in a real trouble (someone deleted it).
Syslogd is not running!
If you receive this message, is because your syslogd is not running. It means
that or your ps is broken or someone killed your log daemon. Take a carefull
look when you receive this message.
$RootCheck: syslog.php ,v 1.0 2003/10/17, Daniel B. Cid$