Legitimate Logging Logistics - ChristopherJamesMorton/Nice-Challenge-Solutions GitHub Wiki

We are told to build a centralized log server to make monitoring our network more manageable. The best way to do this would be to set up a log server on Domain-Controller and forward logs from all machines hosting critical services. We have 'Syslog Watcher' and 'Eventlog Inspector' on our Desktop on Domain-Controller. Syslog Watch needs to create folders and files on our Desktop of Domain-Controller named after the source IP and in CSV format. We are also asked to set the server IP address to its full IP address and not to its localhost alias (likely to move away from DNS dependency). We are also asked to set up log events that are 'Info' and higher from the Windows machines. We are only to request 'System' and 'Firewall' event logs for the firewall.

Logs Being Forwarded from AD
Logs Being Forwarded from Firewall
Logs Being Forwarded from Fileshare
Logs Being Forwarded from Database
Logs Being Forwarded from Prod-Joomla

Step one is installing the Syslog Watcher and Eventlog Inspector. You can log into Domain-Controller and run the installers provided on the Desktop.

Syslog Watcher

You can keep on the default settings for the wizard, but please note that we are installing both the Syslog Manager and the Syslog Server. We will also need to include the firewall rule exclusions. Both of these options are already selected by default.

To set the automation, we need to configure the 'Export to files' and '--Destination' settings under Syslog Watcher's settings.

Select "Export only Syslog messages that match: Criteria..." and click the Criteria button.

In the Filter Criteria popup, deselect Debug logs as we only want Info and above.

Under "Export to files," go to "--Destination". Here we need to set the Destination folder to the Desktop and the subfolder and filename to use %SOURCE_IP%. We also need to make sure the encoding is UTF-8.

Eventlog Inspector

There are no options during the wizard, but you will need to configure the Syslog IP address after installing. You can get the IP address of the Syslog Watcher by going to Settings->Networking->Show local interfaces.

We place the IP of the Syslog server into our Eventlog Inspector settings under settings->syslog (You can test to see if it is successful).

Under Settings->Syslog, we need to go forward and change the setting to forward all system events to the Syslog server.

By default, Event Inspector will be set to start manually from Services, so you will want to change that automatic.

At this point, if you have done everything correctly, you should see the checks for AD being successful.

Firewall

From the domain controller, use your browser to navigate to https://172.16.10.250, and use the username "admin" and the password provided. You will need to accept the security warning and click Continue to this website.

Navigate to Status > System Logs > Settings and enable remote logging at the bottom of the page. Put in the IP address of the Syslog Watcher:PORT (172.16.30.55:514). Check the checkmark boxes for System Events and Firewall events and click Save at the bottom of the page.

You should now have a green status for your firewall check.

Fileshare

Log into the Fileshare server.

We will need to modify the rsyslog.conf as root and restart the rsyslog service.

Add our Syslog Watch server to our configuration:
echo '*.* @172.16.30.55:514' >> /etc/rsyslog.conf

Restart the syslog service:
systemctl restart rsyslog

You should now see the green status for fileshare.

Database

The database server already had the Event Inspector on the desktop, so we need to run the wizard as before and use the same settings. Set the remote server to the domain controller, start the service, and set the service to start automatically.

Set the remote server to our Syslog Watcher on the domain controller.