syslog recieves msgs in unix domain sockets and writes it to the respective files or systems.
/etc/syslog.conf is the file is the configurtation file of syslog utilities.The below given entry is responsible for logging the authentication details to file /var/log/secure.
The file /var/log/security will contain the logs for user login details, failed login attempts, user creation, system poweroff, restart of authentication services etc.
So incase of any suspect to the compromise of Linux system, check any change for the definition of logging procedure like misspelling of derivatives or redirection of the logs to any null files etc. So the logs may routed correctly in to the destination.
When considering the logs and correlate the activities the system time should be accurate. This will help to trace out the time that when the compromise happened hackers. So time sync should happen from stratum 1 server and time should be up2date. NTP should be implemented with the restrict option with the sync servers.
Implementing The Syslog server
Syslog should be configured to replicate logs to a centralised server. This will increase the integrity of the log from being compromised. Crakers/hackers can manupulate the log files to wash out the evidence once they have hacked in to the system.
To avoid this have to log the logs remotely (Making one more copy) .
Creating a syslog repository.
The default syslog port is 514.
Step 1:(In Server)
In Remote system which will act as a syslog repository which accepts the logs:
# vi /etc/sysconf/syslog
This will change the way that the syslog will start and make to listen to the UDP port 514.
Now restart the syslog
# service syslogd restart
The iptables should be running to secure the syslog server.
# netstat |grep 514
Now the syslog server is ready to accept the logs
Step2: (In client)
Open the syslog configuration file on client to make changes to export the logs to the syslogd server.
# vi /etc/syslog.conf
all severity of logs for the facitlity mail will be also logged to server 192.168.1.100 and all the logs will be replicated to the syslog server syslogserver.domain.
Now restart the syslog service in client
#service syslog reload
Now the logs will be generated on both systems. So if a cracker changes the logs in any client it wont get effected in the log server. The daily log check is unavoidable to maintain the integrity of the system.