Log cleaning

Viewing 4 reply threads
  • Author
    Posts
    • #3942
      former33t
      Participant

      I was curious if anyone knows of any good log cleaning tools out there that take care of extended process accounting on Solaris.  I’m not trying to do something illegal.  Quite the contrary actually.  A pentest I was involved with recently had extended accounting on some Solaris servers, so even with credentials, we basically were on and off without a good tool to clean the logs.  Same thing with BSM.  As soon as you see its there, you have to get off or the test is over (if your admin is worth the money they are paying him).  I got to thinking it can’t be too hard to write some cleaning tools. A google search turned up nothing, but often doesn’t.  Anyone know of anything out there before I get to coding?

      Thanks.

    • #25203
      timmedin
      Participant

      I dont’ know of any.

      If that same admin is worth his money the logs should be shipped off the box anyhow so you would have to work on the SIEM.

    • #25204
      former33t
      Participant

      Yeah, that thought hadn’t escaped me, but you wouldn’t believe the number of INTERNET ACCESSIBLE boxes I find in pen tests that are only logging locally.  Often times the admin has been lulled into a false sense of security because they run a cron job or some such to fire off relevant log and audit entries to a logging server on a regular basis.  In this case, it is just a matter of beating the cron (or simply pausing it) so you can clean your garbage out of the logs first.

    • #25205
      timmedin
      Participant

      @former33t wrote:

      Yeah, that thought hadn’t escaped me, but you wouldn’t believe the number of INTERNET ACCESSIBLE boxes I find in pen tests that are only logging locally.

      … Sad, but very true.

      I did figure out if you send the send the correct kill signal you can pause lots of logging, clear out the stuff you want removed, and then restart it. Obviously it depends on the logging app. I can never remember the correct signal name, and I am away from home right now so I can’t look it up.

    • #25206
      UNIX
      Participant

      I haven’t had touched Solaris once yet, but I am assuming that programs written in Python or similar languages should work on it. With Python it is for example very easy to automate various tasks.

      Gathering information on forensic tools such as Microsoft’s Coffee, EnCase Portable, etc. it should not be too hard to reverse the process and clean all logs which are gathered from them.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?