devialog - Syslog Anomaly Detection
The page has moved and will no longer be updated here. Please update your bookmarks and continue to http://devialog.org/
devialog Quick Start Guide
- As root, install the required Perl modules (if needed)
# perl -MCPAN -e 'install Mail::Sendmail'
# perl -MCPAN -e 'install File::Tail'
- It is suggested to run devialog as a non-root user, self contained in the users home directory. Therefore, as root, add a user, give the user permissions to read the syslog files, create and set permissions on anomalies file and unzip the devialog-current.tgz tarball to the newly added home directory
# adduser devialog
# chown devialog /var/log/messages
# chmod 400 /var/log/messages
# touch /var/log/anomalies
# chown devialog /var/log/anomalies
# chmod 600 /var/log/anomalies
# su - devialog
$ tar xvfz /path/to/devialog-current.tgz
$ cd devialog-current/
- If devialog is to be run on a central syslog repository, ensure syslog is presently running and configured to startup in listening mode with the "-r" switch. It is highly recommended to configure a host to be a central syslog repository if you intend on monitoring many systems.
# syslogd -r
- Open devialog.conf in your favorite editor. This file is well commented and contains nearly all configuration settings. Please go through the file in its entirety and change the email addresses, mail servers, etc.
- Run devialogsig.pl - Copy the following for a standard Linux install. This will need to be run for each logfile to be monitored that is configured in devialog.conf. For example,
./devialogsig.pl -l /var/log/messages -c messages.sigs -t syslog -C
* devialog looks for at least a day (ideally a week) of syslog to truly generate a useful signature base.
- Edit messages.sigs. Remove the signatures you want to be considered anomalies and have the action(s) defined in the devialog.conf AnomalyAction directive performed. For example, you may want to have all logins or useradd syslog events emailed to the address defined in devialog.conf. Simply remove the signature matching the login or useradd from the signature file (if the signature exists). The action(s) as configured in devialog.conf will then be taken, whether that is emailing, writing to a file, etc..
- Run devialog.
./devialog.pl -c devialog.conf
- Become root and configure the system to start devialog upon boot. Add the following line to /etc/rc.d/rc.local (or elsewhere depending on your OS)
su - devialog -c "/path/to/devialog.pl -c /path/to/devialog.conf"
For any questions/comments, contact the devialog author: Jeff Yestrumskas (CISSP, TICSA, NSA-IAM) - firstname.lastname@example.org