Posted: Mon Mar 14, 2005 12:37 pm Post subject: Re: Syslog Daemon Questions
When searching a computer terminal or server is it imperative to retrieve the syslog daemon log for evidence in a case or just the actual file that is in question or files for investigation?
I would think you would want both to prevent the opposing party to claim evidence tampering or an alternative reason for the suspected activity. With no good system logs, they could claim that some other user did X.
A non digital equivalent-
LEOs are following D whom they suspect of possessing drugs. D walks into his house carrying a package. D leaves house w/o package. LEOs enter house, inspect package and find drugs. It would make the prosecution's case much stronger if they could also show surveillance tapes showing that the only person to enter D's house in the last few days was D (thus foreclosing the alternative explanation)
Logs may also lend insight into how an attacker initialy gained access to a machine too. If you are following best practices the log files will be part of the drive image that you check into evidence so you should be good.
Posted: Wed Jul 27, 2011 1:16 am Post subject: syslog.conf
On a linux/unix operating systems always look at the syslog.conf, it will direct you to what are the relevant active logs. If authpriv.* and auth.* are logged you will see where login information is kept locally or where it is forwarded to a remote syslog computer. In a corporate environment syslogs are typically forwarded to a event vault and local logs are kept to a minimum to free the sysadmin from disk managment.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum