Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF's Logfinder

Posted by CmdrTaco on from the watching-the-watchers dept.

clonebarkins writes "EFF has just released a new software tool called "logfinder" to help server admins find (and delete) unnecessary log files on their boxen. "By finding unwanted log files, logfinder informs system administrators when their servers are collecting personal data and gives them the opportunity to turn logging off if it isn't gathering information necessary for administering the system.""

109 of 169 comments (clear)

  1. I just made one, too by Anonymous Coward · · Score: 4, Funny

    locate log

    1. Re:I just made one, too by NardofDoom · · Score: 1
      How about
      ls -R / | grep log | less
      --
      You have two hands and one brain, so always code twice as much as you think!
    2. Re:I just made one, too by MightyMartian · · Score: 1

      Hey, I patented that! Prepare for the lawsuit buddy! Oh yeah, I also patented defense attorneys, so you are SCREWED!

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:I just made one, too by Fulcrum+of+Evil · · Score: 1

      find . -name '*log*' -print will give you the paths too.

      --
      "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
    4. Re:I just made one, too by OrangeTide · · Score: 1

      So your Anonymous Coward post was just logged by your system? neat!

      --
      “Common sense is not so common.” — Voltaire
  2. Thanks EFF! by teiresias · · Score: 1

    it also gives intruders/managers/employees/anyone with something to hide the ability to search and remove incriminating logs. Thanks EFF!

    --
    -Teiresias
    1. Re:Thanks EFF! by Anonymous Coward · · Score: 2, Insightful

      Pair it with TOR and hacking becomes untraceable! 2005 is going to be a great year.

    2. Re:Thanks EFF! by MankyD · · Score: 1

      it also gives intruders/managers/employees/anyone with something to hide the ability to search and remove incriminating logs. Thanks EFF!

      don't give them root/admin access - i.e. don't give them permission to delete the logs.

      --
      -dave
      http://millionnumbers.com/ - own the number of your dreams
    3. Re:Thanks EFF! by innerweb · · Score: 5, Insightful
      As is always, that which helps to protect the innocent can be used to protect the *evil*. The problem is the innocent do not know what is being done, and the *evil* are studying and learning to use and abuse. Nothing new there.

      InnerWeb

      --
      Freud might say that Intelligent Design is religion's ID.
    4. Re:Thanks EFF! by compass46 · · Score: 1

      So does rm...

    5. Re:Thanks EFF! by flyingsquid · · Score: 2, Funny
      As is always, that which helps to protect the innocent can be used to protect the *evil*."

      Yeah, sure. You guys are so paranoid, next you're going to be telling me that the flesh-reanimation technology I've been working on can be used for evil too.

    6. Re:Thanks EFF! by zootm · · Score: 1

      As some other comments already beat me to saying, the people with something to hide are already hiding it.

    7. Re:Thanks EFF! by theguyfromsaturn · · Score: 2, Funny

      Yeah, sure. You guys are so paranoid, next you're going to be telling me that the flesh-reanimation technology I've been working on can be used for evil too.

      Sure can. My wife just used your invention to bring back to life her dead mother. That is nothing but pure evil, believe you me.

      --
      I like my dinosaurs feathery, and my pterosaurs hairy (or is it pycnofibery?)
  3. Is a new tool really necessary? by Lord+Kano · · Score: 3, Insightful

    A competent admin will know that his/her boxen are collecting personal data. An ethical admin will get rid of any unneeded data.

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    1. Re:Is a new tool really necessary? by Lord+Kano · · Score: 1

      I was 20 in 1995.

      --
      "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
  4. Can't subpeona what doesn't exist? by PornMaster · · Score: 5, Insightful

    Is the point of this that law enforcement can't subpoena records that don't exist?

    --
    500GB of disk, 5TB of transfer, $5.95/mo
    1. Re:Can't subpeona what doesn't exist? by xC0000005 · · Score: 3, Interesting

      I think so, but really it's just another step in an arms race. How long until we see court orders to collect this sort of information? Or forbidding the use of log destruction/filtering tools?

      --
      www.voiceofthehive.com - Beekeeping and Honeybees for those who don't.
    2. Re:Can't subpeona what doesn't exist? by sporktoast · · Score: 4, Insightful

      If an admin is just using this tool to destroy potentially incriminating logs, then they are using it poorly. Like trying to pound a screw in with a hammer.

      The use this has for an admin is to survey (or for the less experienced admin, to discover) what logs the system is currently, so that the admin can decide as a policy which logs should be active or not, and with what level of detail. The itch this tool scratches is that many systems as a default keep more logs than perhaps are necessary. A good admin will shut off whatever is deemed unnecessary, based on multiple criteria (security, system load, user/company privacy).

      Forbidding the use of log destruction tools (rm?) is moot. Destroying evidence is illegal. Now, laws (or court orders) mandating a level of logging are a completely different matter.

      --
      In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss.
    3. Re:Can't subpeona what doesn't exist? by jafiwam · · Score: 3, Informative

      Destroying evidence is indeed illegal. However, before you are aware of, or have "reasonable belief" of a lawsuit or criminal investigation logs are not evidence yet and may be deleted freely.

      I do exactly that with logs for my company. Once a month I clean out everything we don't need, including "email logs" and other stupid shit MS piles up in various places in the operating system. If/When the lawyers/cops come knocking, I can point to the policy and scheduled reminder and say "sorry, dont have that".

      Logs are not the only place stuff resides and piles up, but it's one easy fix and keeps my servers and machines clear of unnecessary disk-space robbing files.

    4. Re:Can't subpeona what doesn't exist? by Threni · · Score: 2, Funny

      > Once a month I clean out everything we don't need, including "email
      > logs" and other stupid shit MS piles up in various places in the operating
      > system. If/When the lawyers/cops come knocking, I can point to the policy
      > and scheduled reminder and say "sorry, dont have that".

      "...but if you'd have come yesterday you could have had 30 days worth".

      I think I prefer the policy apparantly in place at www.cryptome.org, which is to delete all your logs every 24 hours.

    5. Re:Can't subpeona what doesn't exist? by k_stamour · · Score: 1

      "Forbidding the use of log destruction tools (rm?) is moot. Destroying evidence is illegal. Now, laws (or court orders) mandating a level of logging are a completely different matter."

      Great, get busted for rotating my logs......

      --
      Julius Caesar - Act I, Scene i: "What mean'st thou by that? Mend me, thou saucy fellow!"
    6. Re:Can't subpeona what doesn't exist? by Threni · · Score: 1

      I think you've posted your reply to the wrong post!

    7. Re:Can't subpeona what doesn't exist? by DustMagnet · · Score: 1
      Is the point of this that law enforcement can't subpoena records that don't exist?

      Hackers also like these records and they are more common than law enforcement where I work.

      --
      'SBEMAIL!' is better than a goat!!
    8. Re:Can't subpeona what doesn't exist? by phorm · · Score: 1

      Yes, but it sucks if they or somebody they provide for got owned 2 days ago without noticing... logfiles do have a purpose other than espionage.

    9. Re:Can't subpeona what doesn't exist? by Threni · · Score: 1

      > Yes, but it sucks if they or somebody they provide for got owned 2 days ago
      > without noticing... logfiles do have a purpose other than espionage.

      Sure, but for some sites it's more important that visitors aren't tracked. Surely the log file helps you discover who owned you, not the fact that it occured. In some cases just knowing that you've been compromised is enough - clean up and go back online. Taking www.cryptome.org, for instance. If he gets attacked, he could fix the exploit, check no files have been altered, and go back online again. I'm not sure the site owner is that interested in chasing up the attackers for possible legal action.

  5. I appreciate the effort but... by garcia · · Score: 4, Insightful

    I would seriously hope that:

    a) the sysadmins are competent enough to handle this themselves. I would think that a sysadmin would know how to use some sort of local file search.

    b) the EFF understands that it's not always up to the sysadmins to determine the amount of time to keep logs that might be used against an individual.

    1. Re:I appreciate the effort but... by ObsessiveMathsFreak · · Score: 3, Informative

      Most MCSE trained, NT sysadms don't really have a complete understanding of their servers and how they work. Most are just part time admins, doubling up as postmasters, network support and helldesk frontliners. A great many Windows server administrators are simply in fact, the company management accountant, who may never have recieved any computer training whatsoever! Many will not know where to begin looking for files without googling for the answer. This issue stems from the poor quality of the MCSE courses about, rather than from organisational difficulties with the NT servers themselves.

      Admittedly NT logfiles are slightly more organised than *nix logfiles. Most will at least be under c:\Windows\system rather than spread over /etc /var /usr /root /usr/X11 and even (I kid you not) /bin. The rather haphazard way different programs save their files about *nix systems can be a headache sometimes. It would be nice if someone would standardise the process. However, such a thing has been tried with disasterous results, i.e. the windows registry, so I guess I should be careful what I wish for!

      In short, competant *nix admins will know most of the many location where their important daemons are storing logfiles. NT admins on the other hand, many not even know what daemons are running on the machine anymore, let alone where they store their log files!

      P.S.
      Hey wait! This is a python app. I guess NT admins will just have to keep on googling.

      --
      May the Maths Be with you!
    2. Re:I appreciate the effort but... by Otter · · Score: 2, Interesting

      Unix admins versus MCSE's aside -- do you want your admin (on any platform) deleting files without understanding why they're there, just because some script from the EFF pointed them out to him?

      --
      What I'm listening to now on Pandora...
    3. Re:I appreciate the effort but... by Knuckles · · Score: 1

      spread over /etc /var /usr /root /usr/X11 and even (I kid you not) /bin.

      wtf? What distro are you running?

      --
      "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
    4. Re:I appreciate the effort but... by c0dedude · · Score: 1

      God, I hope helldesk was a typo...

      --
      Since when has this country used intellectual elite as a pejorative term?
    5. Re:I appreciate the effort but... by EnronHaliburton2004 · · Score: 4, Informative

      Admittedly NT logfiles are slightly more organised than *nix logfiles. Most will at least be under c:\Windows\system rather than spread over /etc /var /usr /root /usr/X11 and even (I kid you not) /bin. The rather haphazard way different programs save their files about *nix systems can be a headache sometimes. It would be nice if someone would standardise the process.

      I don't think you understand *nix logging, or you've been working with poorly-designed systems.

      Locations for log files has been pretty well standardized by Posix and the LSB. Logs generally go in /var/log (or /var/adm on older systems), or in $APPLICATION_ROOT/log. A sysadmin might write a log to /var or /root, but those are temporary logs.

      Logfiles which end up in /etc, /bin, /usr or /usr/X11 is the result of poor or very old configuration.

      Now, compare this to a Windows 2003 Server running Exchange 2003, where the log files in c:\windows c:\Windows\system c:\Windows\system\Logfiles c:\Windows\system\security
      C:\Program Files\Exchsrvr\ C:\Program Files\Exchsrvr\MDBDATA C:\Program Files\Exchsrvr\mtdata . Many of the logfiles are not viewable with a text viewer. Some of the log files really aren't "Log files", but are "Transaction Logs", which is a different thing in my book.

      Some of this makes sense, some of this does not. But I'm not a windows admin, and I didn't design this network here, so maybe this is the result of a poor configuration.

      --
      94% of Repubs and 21% of Dems voted to renew the Patriot Act
    6. Re:I appreciate the effort but... by Otto · · Score: 1
      Admittedly NT logfiles are slightly more organised than *nix logfiles. Most will at least be under c:\Windows\system rather than spread over /etc /var /usr /root /usr/X11 and even (I kid you not) /bin. The rather haphazard way different programs save their files about *nix systems can be a headache sometimes. It would be nice if someone would standardise the process. However, such a thing has been tried with disasterous results, i.e. the windows registry, so I guess I should be careful what I wish for!

      There are standards, of a sort, it's just that there's no constraint on the program to follow those standards. I mean, any program worth its salt should be logging to /var/log/something. That's what the whole /var tree is for, to store variable data. Files that the system should be able to write to.

      The filesystem hierarchy is well defined, afterall.
      /bin = Essential command binaries
      /boot = Static files of the boot loader
      /dev = Device files
      /etc = Host-specific system configuration
      /home = User home directories (optional)
      /lib = Essential shared libraries and kernel modules
      /mnt = Mount point for mounting a filesystem temporarily (should usually be empty)
      /opt = Add-on application software packages
      /root = Home directory for the root user (optional)
      /sbin = Essential system binaries
      /tmp = Temporary files
      /usr = Secondary hierarchy, where all the major applications, documentation, everything else goes. Should be used for static files that don't change a lot.
      /var = Variable data that does change a lot.
      Apps can do the wrong thing, but it is usually well defined as to what they *should* do.
      --
      - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
    7. Re:I appreciate the effort but... by Darth_Burrito · · Score: 2, Insightful

      the sysadmins are competent enough to handle this themselves.

      I didn't bother to read a description of the tool, but there's nothing to say that a competent admin might not want something like this if it eased his burden. Also, there's the matter of incompetent admins. Many of us wear multiple hats. I do development, support, and administration on linux and windows for a small office, mostly by myself. Suffice to say, nobody can be perfect at everything. I'm always looking for tools that help me automate common tasks and, generally speaking, manage more with less.

    8. Re:I appreciate the effort but... by golgotha007 · · Score: 1

      dammit, you're blowing our cover!

      someone please gag this man!

    9. Re:I appreciate the effort but... by poot_rootbeer · · Score: 1


      Yeah, well I don't think that Unix distributions should include the find command!

      I would seriously hope that the sysadmins are competent enough to do a recursive ls and pipe that into grep when they want to locate a file with a particular name!

      (Seriously, what's wrong with providing toolsets to administrators that would like to use them?)

    10. Re:I appreciate the effort but... by phorm · · Score: 1

      For the list:

      Apache: /var/log
      Syslog: /var/log
      Apache-ssl: /var/log
      Samba: /var/log
      LPD: /var/log
      FTP: User-defined in config
      Email programs: /var/log (except for individual user procmail logs which are in their homedirs)

      Not really sure what system the grandparent was using, but all my logs have generally been easy to find too. The only time logs go somewhere else is if *I* want them to, usually in the event that somebody else is hosted on my machine and I want them to have access to their own logs but not those of others...

  6. Serious Administrators by superpulpsicle · · Score: 1, Funny

    Most administrators already have effective methods of managing their logs. They crontab the hell out of it.

  7. Oh, yeah by Otter · · Score: 4, Funny

    God forbid professional sysadmins should be expected to understand how their services are configured and what files are being written. If I were a user on one of their systems, sendmail log files would be the least of my concern.

    --
    What I'm listening to now on Pandora...
    1. Re:Oh, yeah by johnlcallaway · · Score: 1

      Oh ... so you think that the release notes written by development teams and software vendors are accurate.

      Poor, naive admin. You have much to learn. Fuser is your friend.

      --
      I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
    2. Re:Oh, yeah by stephenbooth · · Score: 3, Insightful

      In an ideal world every system would be administered by a well trained and experienced system admin, or a trainee admin being mentored by one, who had plenty of time to investigate and maintain the machine. In practice most system admins are people in other roles (developers, DBAs, desktop support or even receptionists) who have been handed the task of managing half a dozen white box Wintel servers (with maybe a SCO or Linux box or even an aging Sun box in the mix) and probably a Netware server doing file and print, most were built and installed by someone one of the manager's knows or have been inherited third hand from another company. If they're lucky they get a training course where they'll learn a few of the GUI screens, more likely they'll be given a few dozen pages of handwritten notes (aka 'the manual') and told to go to the nearest Waterstones/Borders/Whatever and buy a book if they need more.

      That was pretty much my first job. I had trained as a C programmer; then I found myself managing 70 desktops running various versions of Windows, a dozen or so White Box Intel based servers running Windows NT 3.51 and 4.0, a SCO OpenServer box, an Alpha running VMS, a 3 member VAX cluster running VMS and an RS6000 running AIX. All with no usable documentation or training. A little later they added in DBAing the Oracle databases and managing the network (a variety of devices from 3Com, Cisco and Bay), at the time I only knew a bit of SQL and wasn't really sure of the difference between a router and a switch. After spending a lot of money on books then a lot of time reading them (I didn't have web access at the time, when I did I started reading websites as well) I eventually learned what I needed to know.

      This script is a separate issue. Inpractice I don't expect those sorts of admins to run it, they probably wouldn't know what to do with the information if they did. Where I think it would be useful is for the professional admin who suddenly inherits a bunch of machines (maybe they've moved companies or their company has merged with another). Put this script on them and run it for a few days then see what it turns up. No matter how wonderful and professional you are unless you built and installed a machine yourself and can guarantee that no-one else has ever had the root/admin password to a box you can't be 100% sure that there's not some process running somewhere that is quietly logging something somewhere. No-one who manages a non-trivial number of machines has time to check every machine to make sure that there are no new or unexpected services that have snuck in (and remember it's not something you could do once and then not again, you'd have to keep on doing it). That's why you need scripts that look for anything that could point to unexpected activity. Not just looking for anything that looks like a log on a box but also ports that shouldn't be open (I've lost count of the number of times I've found a box with port 25 open when I know I've disabled SMTP, only to find that someone has re-enabled it without telling me) or unexpected activity on a switch or firewall port. Not only do we have too many machines to manage but also users who delete files they shouldn't which then must be restored from backup, managers who constantly demand reports on system availabity stats and projects that we have to keep an eye on to make sure they don't run wild and break every standard we have.

      Stephen

      --
      "Don't write down to your readers, the only people less intelligent than you can't read" - Sign on Newspaper Office Wall
  8. "Boxen" by m_member · · Score: 5, Funny

    Can I have a tool to locate and delete people who use the word 'boxen'? GPL preferably.

    1. Re:"Boxen" by cerberusss · · Score: 1
      You can, it's called VI. It's also used as an editor :D

      --
      8 of 13 people found this answer helpful. Did you?
    2. Re:"Boxen" by grouse · · Score: 1

      I think there ought to be a Privoxy module to do that. As an added bonus, it would s/virii/viruses/g.

    3. Re:"Boxen" by Sahib! · · Score: 1

      What is the plural of virus?



      In case you actually know any Latin, there is some dispute over whether virus is a second-declension noun, like amicus, "friend," plural amici, or a fourth-declension, like status, plural statuses. Personally, I believe it was fourth-declension, but it was rarely used in Latin at all, anyway.

      --

      I prayed about it, and God said, "Don't do it!" But I thought, "I know better."

  9. WTF is Boxen? by Evil+W1zard · · Score: 2, Interesting

    Am I behind the times in cool admin speak or was this simply boxes mispelled? In any case I could definitely see this being used for both good and bad.

    --
    News Reporters Make Tasty Polar Bear Treats!
    1. Re:WTF is Boxen? by mmkkbb · · Score: 1

      Box rhymes with ox. The plural of ox is oxen, so the plural of box is boxen.

      Mysteriously, admins don't seem use "mouses", or "hice", or "meese" (plural of moose)

      (Of course, then there's the ones who will vehemently argue that "its" is not a word because special cases are bad and "it's" is the proper possessive)

      --
      -mkb
    2. Re:WTF is Boxen? by MojoSF · · Score: 2, Insightful

      I also think of it as a nod to the old days when a room full of DEC VAX computers would be referred to as vaxen.

    3. Re:WTF is Boxen? by michaelggreer · · Score: 1

      I don't think "oxen" itself is the reason. I think folks like the German plural form (of which "oxen" is an English example) 'cause it sounds cooler.

    4. Re:WTF is Boxen? by lhaeh · · Score: 1
      It comes from the term used to describe multiple VAX machines (VAXen). The root of that word is oxen, admins refered to many VAXen as VAXherds.

      Unfortuniatily, the term has found its way onto Dictionary.com.

    5. Re:WTF is Boxen? by sbryant · · Score: 1

      Well, the German plural of ox (die Ochse) is "Ochsen," and in German, you do have multiple "Boxen."

      If the person who wrote the submission was German, I'm willing to forgive them. However, as "Carl" claims to have been born in Philadelphia (presumably the newer one in the US, and not the older one in the Middle East), he needs beating with at least two wet fish. Maybe it was the fault of the apes, although the spell in Elbonia probably didn't help.

      -- Steve

    6. Re:WTF is Boxen? by TheRaven64 · · Score: 2, Informative
      From the Jargon File:
      boxen /bok'sn/ pl.n. [very common; by analogy with VAXen] Fanciful plural of box often encountered in the phrase `Unix boxen', used to {Unix">describe commodity {Unix hardware. The connotation is that any two Unix boxen are interchangeable.
      And yes, you are seriously behind the the times. The oldest copy of the Jargon File I have is from the early '90s and that contains the word boxen.

      It can be quite useful, since boxen are always computers, while boxes can be the packaging the computers came in.

      --
      I am TheRaven on Soylent News
    7. Re:WTF is Boxen? by michaelggreer · · Score: 1

      Hey, "boxen" is totally standard admin speak, so don't beat him up. And my "oxen" example is, as I said, not German, but an example of a German-derived plural in English. Just trying to figure out why admins call them "boxen," not supporting the strange practice.

    8. Re:WTF is Boxen? by Pean · · Score: 1
      Boxen is from Brian Regan stand-up

      Here's the transcript...

      Plurals were hard, too.

      "Brian, how do you make a word a plural?"

      "You put a 's'...put a 's' at the end of it."

      "When?"

      "On weekends and holidays."

      "No, Brian. Let me show you." So she asked this kid who knew everything. Irwin. "Irwin, what's the plural for ox?"

      "Ox. Oxen. The farmer used his oxen."

      "Brian?"

      "What?"

      "Brian, what's the plural for box?"

      "Boxen. I bought 2 boxen of doughnuts."

      "No, Brian, no. Let's try another one. Irwin, what's the plural for goose?"

      "Geese. I saw a flock of geese."

      "Brian?"

      [Exasperated laughing]"Wha-a-at?"

      "What's the plural for moose?"

      "Moosen! I saw a flock of MOOSEN! There were many of 'em. Many much moosen. Out in the woods...in the wood-es...in the woodsen. The meese want the food in the woodesen...food is the eatenesen...the meese want the food in the woodesenes...food in the woodesenes."

      "Brian. Brian! You're an imbecile."

      "Imbecilen!"

      "What? Are you speaking German, Brian?"

      "German...Germaine...Germaine...Jackson...Jackson 5...Tito!"

      "Brian, what the hell are you talking about?"

      "I don't know. I don't know, really."

      --
      ----------
      "Duffman says a lot of things, OH YEAH!" - Duffman
    9. Re:WTF is Boxen? by Mr.+Slippery · · Score: 2, Interesting
      Just trying to figure out why admins call them "boxen," not supporting the strange practice.

      It's a running joke. See also this.

      --
      Tom Swiss | the infamous tms | my blog
      You cannot wash away blood with blood
    10. Re:WTF is Boxen? by LuSiDe · · Score: 1

      Oh, don't worry. Boxen is the German or Dutch equivelant of boxing in English.

      --
      WE DON'T NEED NO BLOG CONTROL.
  10. EFF would sell more copies if... by Anonymous Coward · · Score: 1, Funny

    rather than letting the admin delete the logs, it instead automatically sent logs to the management.

  11. is this stupid? by digitalgimpus · · Score: 3, Insightful

    I'm sorry, but this might just be the dumbest move yet they have made...

    lots are crucial for many reasons:

    1. Hacking attacks (how else do you track them, and prevent them)?
    2. Abuse problems (spammers, credit card fraud)
    3. aggregate statistics (what percentage of my customers are based in Europe?)

    I can't see why someone would shoot themselves in the foot and use this.

    Like log files are really intrusive anyway.

    1. Re:is this stupid? by Dasein · · Score: 2, Insightful

      Don't use it. Seriously. If you are comfortable with the level of logging you have, okay. There are others, who may be in the positions of not wanting log files that identify users because of the expense associated with discovery or complying with a subpeona.

      Note, this is why large companies have email retention policies -- because having to do discovery or comply with a subpeona on email records going back years is expensive. So doing this type of thing isn't anything new or sinister.

      --
      You are not a beautiful or unique snowflake -- but you could be if you got off your ass.
    2. Re:is this stupid? by garcia · · Score: 1

      3. aggregate statistics (what percentage of my customers are based in Europe?)

      I know that webalizer keeps these statistics itself. You don't need to keep the rotated logs for that long. I would assume that you would use utlities that keep that extract that data and use it away from the actual logs themselves.

      Like log files are really intrusive anyway.

      Depends on what's being logged I guess.

    3. Re:is this stupid? by ducomputergeek · · Score: 2, Insightful
      I have to agree. I don't do much system administration work outside of our data-storage network these days, but even then I want to see what employees are putting on the 6TB system. Why? We've found porn before, against company policy, warezed games, against company policy, personal files, etc. before. For most random logs, they are archived every month and backup to optical media every quarter. But the storage system is supposed to be used to store completed video projects for the past year. Nothing else. The front office and bean counters have their own servers just for accounting information etc.

      Back when I was doing more web-based server admistration logs were my friends. We could tell people trying to find an open mail port, hacking attempts, DDOS attempts, etc..

      The EFF is becomming more like the ACLU in many regaurds. Had a very good reason for formation, but at some point went off the deepend. Privacy on the net is non-existant. Never was there, but somewhere along the way someone thought that the Internet was going to be this great tool of anaminity and I want to know who thought up that bloody idea. Because it was and always will be flase.

      --
      "The problem with socialism is eventually you run out of other people's money" - Thatcher.
  12. Redhat by RalphLeon · · Score: 2, Informative

    The last time I checked out redhat (about version 8 I rekon) they inluded this nice little utility called "logviewer". And, I though, wow a text viewer how novel, Linux doesnt have many text viewers.

    So not only is this a text viewer, but it also finds all those logs hidden in /var/log/*, it must be hard to find anything in /var/log/* ...

  13. Just as an example... by PartialInfinity · · Score: 4, Insightful

    This is just EFF's way of reminding sysadmins to be vigilent about their log files, it's not meant to replace good administration habits.

    1. Re:Just as an example... by RalphLeon · · Score: 1

      I would have just said "hey, check your log files" and saved some development time/money.

  14. Interesting Motive by peterdaly · · Score: 3, Interesting

    My first thought was the main purpose of this would be to identify and eliminate "wasted" disk space. There are a bunch of logs that, without management, really just end up being wasted bits on your disk. Generally, that may be a useful utility, at least to me.

    I was suprised to see the EFF seems to have a totally different motivation. It seems their real motivation is that the government can't demand logs that don't exists, or more specifically you can't get in trouble for not providing what you don't actually have.

    Not sure what I think of that...

    --
    Soccer Goal Plans
    1. Re:Interesting Motive by ajs · · Score: 1

      There's a catch in thinking only of being served with a warrant for logs.

      The much more common case is a civil suit where logs are requested in discovery. Woefully, failing to produce logs for a particular period can weigh heavily against your side of the case in a civil matter. I know of several companies that keep email forever for example, only because defending themselves in a suit might rely on being able to demonstrate that actions were taken at a particular time. Saying "yeah, we did that then, but we don't have the paper-trail any more," simply does not cut it.

      Being concerned about big brother is one side of the coin, and while you should not lose sight of it, it's always important to remeber that there are other consequences of your actions.

    2. Re:Interesting Motive by Secrity · · Score: 1

      I am not a lawyer and I have had to comply with several subpoenas for computer records. Obviously you have never had to comply with a computer records subpoena. Pruning unnecessary logs saves disk space AND it is a real time saver. Do not decide to prune your logs after you receive a subpoena, and make sure that you comply with all applicable laws. Why are you surprised that the EFF would provide a utility that saves an admin trouble by removing unnecessary logs?

    3. Re:Interesting Motive by sckeener · · Score: 1

      I was suprised to see the EFF seems to have a totally different motivation. It seems their real motivation is that the government can't demand logs that don't exists, or more specifically you can't get in trouble for not providing what you don't actually have.

      Same thing libraries did to get around having to turn over patron's reading habits to the police.

      Of course the next step the government will take is passing a law requiring everyone to keep their logs for 5 years.

      --
      "Only one thing, is impossible for god: to find any sense in any copyright law on the planet." Mark Twain
    4. Re:Interesting Motive by CmdrGravy · · Score: 1

      But how will that help defeat the Evil Terrorists ? Personally I would like a program which scans my logs for Arabic and automatically informs the necessary authorities

    5. Re:Interesting Motive by Secrity · · Score: 1

      Oh dear, I forgot about the Evil Terorists. Never mind what I said earlier; turn all your logging to maximum verbosity and retain all of your logs forever. Somebody needs to start spamming HTML propoganda posters that show that log retention is our patriotic duty.

    6. Re:Interesting Motive by Anonymous Coward · · Score: 1, Insightful

      Given that the EFF is motivated to oppose Internet regulation, this release should not be particularly surprising. Providing a tool of this sort to sysadmins grants those administrators a measure of "plausible deniability" when investigators request activity logs. If the administrator can say, "We wipe secondary logs four times a year and the more important ones yearly; it's our [written?] policy and it's coded into our software," the investigators have a weaker case for suggesting in-house conspiracy or negligence than if the log audits were carried out on an impromtu/"whenever-they're-getting-too-big" basis.

      Automatic log auditing is definitely a double-edged sword. It can provide cover for many types of misbehavior, but also gives the average sysadmin more legitimacy, especially in the eyes of the technically semi-literate.

      If nothing else, this release might inspire some of the more skilled admins out there to write their own code to automate their auditing, especially given some of the comments below on the *cough* functionality of the EFF package...

    7. Re:Interesting Motive by Fulcrum+of+Evil · · Score: 1

      But how will that help defeat the Evil Terrorists ?

      Actually, we love the evil terrorists, so we'd never want to defeat them. We must - after all, we're making so many of them.

      --
      "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  15. Re:Excellent by cerberusss · · Score: 1
    limited to 2 Gigs, so the log stopped growing when it hit that limit

    Umm, that's where logrotate is for. Yeah I know, there are some stupid vendors who don't support this out of the box, but it's not difficult to make it work with a random application.

    As a sidenote, this should be modded 'clueless', not 'informative'.

    --
    8 of 13 people found this answer helpful. Did you?
  16. Re:Excellent by ab384 · · Score: 3, Insightful

    Just two observations: (the second of which is actually relevant to this parent)

    1. It took me around 3 minutes to find out that this thread applies to POSIX-like systems only (ie. won't work on this winXP). The fact should really have been mentionned in the summary. I only say this because recently, some summaries seem to have been "hastily" written.

    2. I am myself wary of huge, hidden log files that either winXP itself or other programs create. As the only user and sysadmin on this system and keen to minimise disk wastage, I would want to prune all logs regularly. Trouble is, they aren't all *.log files. So, how do I find them, short of going through every single program and investigating any logs it might or might not create?

  17. interesting... by Spider[DAC] · · Score: 5, Informative

    Actually, it uses lsof and a few other niceties to locate open files that change over time, then scans them for presence of time/date stamps, mailaddress or other "log" activity.

    So, no, its not just "locate log" that somone suggested, nor is it "find /var/log" either, but a bit more complex.

    As for the comment about competent site-admin. This is a bit more than that too, its also about users and active software, peoples IRC logs, various ftp clients that clobber up and log passwords along with everything else in their config dir. And so on and so forth.

    --
    I didn't do this, now did I?
    1. Re:interesting... by scrotch · · Score: 2, Informative

      Right. From their README:

      "... We have created a program called logfinder as a sample means of locating files that might be logs on an existing system. logfinder uses regular expressions to find local files with "log-like" contents; you can customize those expressions if necessary to meet your needs. logfinder requires Python 2 or greater and finds logs in text files on a POSIX-like system. (It might also find some log-like data in binary files if the binary files represent that data in textual form.)

      logfinder can, if the lsof program is installed and when run with
      appropriate privileges, detect open files systemwide that grow larger over time. It can also search for text that may indicate logging activity within a given directory hierarchy, or systemwide. As we suggest above, a program like logfinder can find some, but not all, kinds of logging activity. For example, logfinder will generally not identify logs in binary (non-text) formats or logs kept inside
      databases. Therefore, using a program like logfinder is usually a supplement to, not a replacement for, answering questions like those given above.

      logfinder should be run as root. If logfinder is invoked without any arguments, it will examine open files systemwide to see whether they grow larger, and then indicate whether files that appear to be growing contain log-like text. (This requires lsof to be installed, and lsof's ability to report open files accurately may depend on your operating system. So far, we've had success with Linux and MacOS X, and some difficulty with FreeBSD and OpenBSD.)

      If logfinder is given one or more directory names as arguments, it will search for log-like text in files in those directories. ..."

      I haven't run it (and likely won't), but I'm curious whether it would ever flag stuff in /var/mail. It would be a lot of fun to have clueless admins cronning this and deleting mail every night.

    2. Re:interesting... by DustMagnet · · Score: 1

      Hmmm. That would catch my old "watch" program. It would watch a list of files for changes including read access times. I would put a few tempting targets in my home directory (world readable) and it would tell me when someone looked. These days I have my own UNIX machines, so my security is much different.

      --
      'SBEMAIL!' is better than a goat!!
  18. We have that already. by edunbar93 · · Score: 1, Funny

    Around here, we call that "logrotate."

    --
    "No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
    1. Re:We have that already. by zootm · · Score: 1
      > Around here, we call that "logrotate." logrotate is mentioned explicitely in the README file of the software.
      Some operating systems come with preinstalled log-rotation software. However, the log-rotation software provided by an operating system vendor is normally -- at best -- able to recognize and rotate logs created by vendor-provided software. If you have installed third-party application software, or software you have written or compiled yourself, it may keep logs completely outside the notice of log rotators. Here are some of the questions system administrators can ask themselves to ensure that their data retention policies are followed as faithfully as possible. Does my operating system have a log rotation utility such as logrotate? Is the log rotation utility enabled and functioning? Does it run automatically at predetermined intervals? Does the configuration of the log rotation software match my logging and data retention policy? Do I have any third-party application software or user-developed software that keeps logs? If so, is the log rotation software aware of them? Are there any logs that might exist in an unexpected place, such as a user's home directory? (For example, Unix sites that use procmail for e-mail delivery often have ~/.procmail/log files on a per-user basis, in parallel to and often redundant with systemwide e-mail log files. Similarly, a site with multiple virtually-hosted web sites may have separate site-by-site web transaction logging -- or logs from user-created CGI scripts -- within individual user home directories. These logs can be difficult to observe with a utility such as lsof, because they are usually not held open by the software that creates them, and may be updated relatively infrequently. Therefore, merely looking for open files or recently updated files may not unearth these sorts of logs.) Do I have application software that logs into a relational database table, such as an Oracle or MySQL database? (For extremely large logs, or logs that are intended to be routinely machine-readable, logging into a database is more likely than logging into a text file.) If so, are the records in the table allowed to persist forever, or are they periodically purged? Do I have applications that are configured to log over a network to a remote machine, using a facility such as syslog's loghost feature? (This is especially common in clusters and in centrally-administered networks.) If so, what is that machine doing with the log data it receives over the network? Do I have logs in binary formats (such as Unix wtmp/utmp or the Windows registry) that might be difficult to recognize as logs on sight? If my data retention policy calls for secure deletion of log files, is my log rotation software or other software that implements the policy using an appropriate secure deletion utility? (Files that are deleted but not overwritten might be undeletable in whole or in part. Some experts have also recommended means of multiply-overwriting files to reduce the chance that usable information might remain on magnetic media even after a single overwriting.)
  19. If your admin is competant enough by grahamsz · · Score: 1

    to take regular backups, then they shouldn't need the EFFs tool to wipe logs.

  20. Well.. by Ayanami+Rei · · Score: 1

    are you saying you don't stream your logs across the network/frame relay to another site where they are permanently stored and monitored by unrelated personnel? If you have seperate admin teams, make them in charge of other people's logs (and vice-versa). It's like a checks and balances system.

    --
    THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
  21. Good work, but... by IBeatUpNerds · · Score: 2, Interesting

    You could be treading in some dangerous territory. Let's say, for instance, as a sysadmin, you know one of your users has been accessing some machine they should not access for whatever reason (immoral, illegal, etc...). Well, you run this tool and uncover evidence to support that theory, then discuss with JaneUser and, out of the goodness of your heart, decide to remove the logs in question. All is well.

    Two months later, "they" subpoena your logs to find no trace of evidence. Suspecting log-alteration, they subpoena the upstream providers logs and find correlating evidence that is mysteriously missing from your logs. So, JaneUser ends up getting in trouble, and the kind-hearted sysadmin gets slapped with evidence tampering.

    I think, if you're going to carry out any activity that needs covering up, then you need to be more in tune with the circumstances rather than dealing with these sort of things after the fact. Or you could just avoid illegal activity all together...

    1. Re:Good work, but... by catdevnull · · Score: 1

      Selectively editing your logs to omit/obscure nefarious activity doesn't require any special tools--that only requires poor ethics.

      --

      I might know what I'm talkin' about, but then again, this is Slashdot...
    2. Re:Good work, but... by Secrity · · Score: 2, Insightful

      I am not a lawyer, the following is a general discussion, your mileage and your laws may vary. It is possible that some jurisdictions may have laws that require the retention of data, I know of no such requirement in the US. Did I mention that I am not a lawyer?

      There is a difference between evidence tampering (illegal) and system administration (legal). If you remove data because it may be incriminating, you are tampering with evidence. It would also be illegal to delete data after you receive a subpoena or other legal demand. If you don't collect data or you have a policy to remove data after a certain period of time, you are administering a system. Another valid system administration policy is to remove log data when you fill a certain amount of disk space. You could also have a policy that says that you do not back-up certain logs. If you maintain logs or other data, a documented data retention policy is a Very Good Idea.

  22. Didn't the MPAA do something similar? by ghoti · · Score: 1

    I'm sorry, this reminds me of another recent story. I think the EFF is doing a lot of good things, but releasing this kind of agenda-pushing software does seem a bit strange to me.

    --
    EagerEyes.org: Visualization and Visual Communication
  23. Log Retention Policy by dRn-1 · · Score: 2, Insightful

    I can see how useful logfinder could be/is. And how it along with relevant administration, can eleviate the possibility that your systems are harbouring evidence of criminal activity... Could they seize any systems they deem necessary? I certainly wouldn't want any of my systems seized because I don't have a log retention policy, and hence when they ask do you have logs for such and such @ such and such a date, a reply of I'm not sure wouldn't go down too well! In short and IMHO having a log retention policy is a good idea... think I might recommend one myself.

  24. Re:Excellent by fons · · Score: 1

    do a search for big files (>1gig) on your disk that are not audio/video files.

  25. Re:neat by e2d2 · · Score: 4, Funny

    Any tool could probably be used for evil. For instance I have a calendar on my wall. If I took it down and rolled it up, I could probably beat you half way to death with enough strong blows.

  26. My experience with logfinder by carpe_noctem · · Score: 2, Informative
    Running openbsd 3.6 on x86:
    tresor:src$ tar xfvz logfinder-0.1.tar.gz
    logfinder-0.1
    logfinder-0.1 /logfinder.py
    logfinder-0.1/README
    logfinder-0.1 /COPYING
    tresor:src$ cd logfinder-0.1
    tresor:logfinder-0.1$ sudo ./logfinder.py
    Scanning for open files systemwide...
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'

    (repeats several dozen more times...)

    [Errno 2] No such file or directory: '(/dev/wd1a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/raid0a)'
    [Errno 2] No such file or directory: '(/dev/raid0a)'
    [Errno 2] No such file or directory: '(/dev/wd1a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/wd1a)'
    Scanned sizes of 30 files.
    Waiting for log activity; please allow time to elapse.
    Press Enter to continue.
    [Errno 2] No such file or directory: '(/dev/wd1a)'
    [Errno 2] No such file or directory: '(/dev/wd0a)'
    [Errno 2] No such file or directory: '(/dev/raid0a)'
    tresor:logfinder-0.1$ cd ..
    tresor:src$ rm -rf logfinder*
    At least the EFF's lawyers are better than their programmers. ;)
    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
    1. Re:My experience with logfinder by carpe_noctem · · Score: 1

      Did you catch the part about "(This requires lsof to be installed, and lsof's ability to report open files accurately may depend on your operating system. So far, we've had success with Linux and MacOS X, and some difficulty with FreeBSD and OpenBSD.)".... ?

      --
      "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  27. Re:Only if you don't do backups. by tchuladdiass · · Score: 2, Interesting

    That's why you use a tape backup tool that has an "Enron/Anderson" mode. Before writing any file to tape, encrypt it with a random key and store that key in you file locator database. Then when it is time to expire a particular file version, all you have to do is delete the index record. No need to wipe the tape. This is useful if you have data on a tape that expires at different times.
    Also, for security, the random keys should then be passed through a public key encryption prior to being written to the database.

  28. Re:boxen by sugar+and+acid · · Score: 1

    Boxes is a perfectly adequate plural form. Also on principle I dislike "boxen" because of its widespread use in leet speak.

  29. I don't think that makes sense. by clickster · · Score: 1

    Two months later, "they" subpoena your logs to find no trace of evidence. Suspecting log-alteration, they subpoena the upstream providers logs and find correlating evidence that is mysteriously missing from your logs. So, JaneUser ends up getting in trouble, and the kind-hearted sysadmin gets slapped with evidence tampering.

    How would it be "evidence tampering" if you didn't even know about the existence of an investigation until 2 months after you edited the logs? For you to be tampering with "evidence", doesn't there have to be a case existing at the time - an wouldn't you have to know about it?

    --
    If you mod me down, I shall become less powerful than you could possibly imagine.
  30. Could be moderately useful by WarmBoota · · Score: 2, Informative

    This tool could be moderately useful, especially in an environment where the administrator can't be expected to know all of the ins and outs of third-party add-ons.

    I was once assigned to a dotcom that used a third-party component to allow for credit card transactions. What the admin didn't realize was the default configuration left the component in debug mode, placing all user-submitted credit card data in plain text files on the web server

    We only found the log file accidentally while performing an unrelated search for files modified in the last 'n' days. The admin relied on the developers to configure the third-party component and the developers were relying on another set of consultants who didn't know or didn't care about the log files.

    --
    90% of everything is crap. Also, crap is relative.
  31. Re:Excellent by Frank+T.+Lofaro+Jr. · · Score: 1

    Just reinstall XP every week. You probably need to anyway to keep it running well.

    --
    Just because it CAN be done, doesn't mean it should!
  32. anybody else have this lock up their system? by rcpitt · · Score: 2, Interesting
    OK - I downloaded it, untar'd, and ran it as root on my Toshiba laptop (RH-9 2.4.20-31.9 kernel, 1G RAM) and the machine locked up. I had switched to another window and was looking at a log file while the program "thought" in the original window. I also had a number of remote ssh sessions open. The machine had been up for about 30 minutes today already.

    This system is rock solid, in use for hours/day with the exact same mix of programs running constantly (evolution, mozilla, ssh/rxvt windows to external systems, etc.)

    comments?

    --
    Been there, done that, paid for the T-shirt
    and didn't get it
  33. No offence to all the MOCKARY here.... by ninji · · Score: 1

    No offence to the fact that almost all the comments under this thread are mocking it.... But even as a professional admin whom has worked on hosting envrionment servers for years, sometimes I run into problems from a log file getting out of hand that hadnt been properly managed etc... It's hard to know and find them sometimes and, :O this does ;P

  34. Re:Excellent by TechnoLuddite · · Score: 1
    um. Yeah. Well.

    Don't want to accuse you of having your own agenda (*cough* Mr. lin ux.com *cough*), but reinstalling every week would seem to be a little extreme. XP may have vulnerabilities, and may not be as stable as Linux servers in the long run, but a properly configured XP box is relatively stable. Add in the requisite free software (firewall, malware catchers, et al: www.pcw orld.com/reviews/article/0,aid,116456,00.asp), and even if it's not as secure as Linux, it should still not need to be re-ghosted every 3 months, let alone every week.

    Seriously, has anyone who uses XP, on a regular basis, had a situation where they felt it necessary to reinstall weekly? I'd like to hear, if so ... if only to know what to look out for.

  35. Just what I needed.... by DeVilla · · Score: 1

    ...for my new r00t kit! Now I can upload this onto a machine to easily find all the sensitive logs to swipe and wipe. I'm gunna be a l33t hax0r. Yay me! (Now I just need to wait for a story about a new vunerability. This'll be kewl.)

    1. Re:Just what I needed.... by 0x000000 · · Score: 2, Funny

      Slashdot won't do you no good for new vulnerabilities. They are always a few days late with the news, and most system admins will have patched by then!

      --
      cat /dev/null > .signature
    2. Re:Just what I needed.... by LuSiDe · · Score: 1

      Yeah i was thinking among the same lines. I mean, those kids already made similar software.

      However regarding data integrity i rather run an application by the EFF than by some random kid i don't know. I trust the EFF more.

      --
      WE DON'T NEED NO BLOG CONTROL.
  36. Plurals... by Otto · · Score: 2

    If somebody could find me a device that would hunt down annyoing people who complain about improper pluralization among tech nerds, then I'd definitely pay for that.

    "Boxen" is fine. If the plural of ox is oxen, then pluralizing box as boxen seems perfectly acceptable to me. It also helps to understand that somebody is talking about a bunch of computers as opposed to a bunch of cardboard boxes. :-)

    But I swear that the next person who tells me (in person) that virii is not correct is getting a punch in the face. I mean it.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
    1. Re:Plurals... by Kent+Recal · · Score: 1

      "Virii" is not correct.
      The plural of "virus" is "Virusen".

    2. Re:Plurals... by Otto · · Score: 1

      Why don't you get attain some self respect and start learning about the world you live in, instead of being so passive?

      Why don't you get a sense of humor instead of being such an idiot?

      --
      - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
    3. Re:Plurals... by Otto · · Score: 1

      HEY GUYS could you go down to the store and pick me up some BOXEN OF LUCKY CHARMS?

      That would be "Charmii".

      --
      - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
    4. Re:Plurals... by Bullet-Dodger · · Score: 1
      It's fine if you want to sound like a huge fucking dork all the time.

      As opposed to a suave ladies-man like yourself. Nothing's cooler than trolling slashdot.

  37. Virii is not correct by grouse · · Score: 1

    See my above comment.

  38. Server search? by null+etc. · · Score: 1

    Did the EFF just beat Google to the punch on a "Server Search" app?

  39. Re:Only if you don't do backups. by Q+Who · · Score: 1

    What's with database backups, genius?

  40. All your boxen belong to ux by Ohreally_factor · · Score: 1

    And yes, you are seriously behind the the times. The oldest copy of the Jargon File I have is from the early '90s and that contains the word boxen

    Well, maybe he's so behind the actually he's ahead. I don't know anyone but lamer kiddies and old farts trying desperately to be hip that really use the phrase anymore. It's almost as if it's become a marketing buzz word, and if you know anyone who uses it frequently to refer to computers is probably reaching out for acceptance or hoping that you'll think they're clever. Over reaching.

    When I hear someone use the word boxen, my first thought is "wannabee".

    --
    It's not offtopic, dumbass. It's orthogonal.