devialog - Syslog Anomaly Detection

Main · Quick Start · F.A.Q · Download · SF Project Page

devialog Quick Start Guide
  1. As root, install the required Perl modules (if needed)

  2. # perl -MCPAN -e 'install Mail::Sendmail'
    # perl -MCPAN -e 'install File::Tail'

  3. It is suggested to run devialog as a non-root user, self contained in the users home directory. Therefore, as root, add a user, give the user permissions to read the syslog files, create and set permissions on anomalies file and unzip the devialog-current.tgz tarball to the newly added home directory

  4. # adduser devialog
    # chown devialog /var/log/messages
    # chmod 400 /var/log/messages
    # touch /var/log/anomalies
    # chown devialog /var/log/anomalies
    # chmod 600 /var/log/anomalies
    # su - devialog
    $ tar xvfz /path/to/devialog-current.tgz
    $ cd devialog-current/

  5. If devialog is to be run on a central syslog repository, ensure syslog is presently running and configured to startup in listening mode with the "-r" switch. It is highly recommended to configure a host to be a central syslog repository if you intend on monitoring many systems.

    # syslogd -r

  6. Open devialog.conf in your favorite editor. This file is well commented and contains nearly all configuration settings. Please go through the file in its entirety and change the email addresses, mail servers, etc.
  7. Run devialogsig.pl - Copy the following for a standard Linux install. This will need to be run for each logfile to be monitored that is configured in devialog.conf. For example,

    ./devialogsig.pl -l /var/log/messages -c signatures.pl -t syslog -C

    * devialog looks for at least a day (ideally a week) of syslog to truly generate a useful signature base.

  8. Edit signatures.pl. Remove the signatures you want to be considered anomalies and have the action(s) defined in the devialog.conf AnomalyAction directive performed. For example, you may want to have all logins or useradd syslog events emailed to the address defined in devialog.conf. Simply remove the signature matching the login or useradd from the signature file (if the signature exists). The action(s) as configured in devialog.conf will then be taken, whether that is emailing, writing to a file, etc.. Note that signatures.pl is never executed; it contains a .pl extension for syntax hilighting purposes.
  9. Run devialog.
  10. ./devialog.pl -c devialog.conf

  11. Become root and configure the system to start devialog upon boot. Add the following line to /etc/rc.d/rc.local (or elsewhere depending on your OS)

  12. su - devialog -c "/path/to/devialog.pl -c /path/to/devialog.conf"


For any questions/comments, contact the devialog author: Jeff Yestrumskas (CISSP, QSA, NSA-IAM, TICSA) - jeff@yestrumskas.com SourceForge.net Logo
devialog - Copyright 2002-2008 Jeff Yestrumskas