23. Logs, Warnings and the Log Module

23.1. What and How

Each module uses an instance of a log-object from the Perl module /src/Log.pm to output results: in most cases, results are logged to both the corresponding local log file in /var/log/<module_name>.log and to the system logs via Sys::Syslog, to the local7 facility.

23.2. Miscellaneous Points of Note

• The syslog daemon should be configured to copy all logs to a remote, dedicated log-server, in addition.
  
  
• IDM_log_monitoring does not copy its results to syslog[-ng] as it is possible that in the event of a problem with, for example, the script taillogfile, feedback can occur — the /var partition would fill up and the system-administrator get the boot.

23.3. Configuration and Rotation

All logs written through this log are rotated — rotation period is set in Modules_Config.pm.

23.4. Warnings

Warnings in Cheesewire refer to possible or probable issues with the monitoring itself, not intrusion-related information. Messages appear in

    <sids_root>/var/log/WARNINGS

23.5. Subroutines

The following routines are available:

    append
    flush
    append_flush
        # ...append string to buffered log, flush buffer, append with flush;

    append_echo
    warn
    append_echo_warn
        # ...append string to buffered log with copy to stdout;  output
        #    string to warnings log;  append string and copy to stdout
        #    and warnings log;    

    indent
    un_indent
    output_title
        # ...very simple formatting routines...

    output_hash
    output_array
        # ...slightly higher-level routines which output the contents of 
        #    a hash or array, with a title, appropriate indentation, etc...