Windows Logging (SEC 350) - Chromosom3/TechNotes GitHub Wiki
Updated SSH on VyOS
We are going to change the SSH settings on our firewalls. We only want the to be manageable from a specific interface. To do this we are going to change the IP that the service listens on. This is shown below. https://docs.vyos.io/en/latest/configuration/service/ssh.html
configure
show service ssh
set service ssh listen-address 172.16.150.2
delete service ssh listen-address 0.0.0.0
commit
save
Updating Syslog on VyOS
We need to ensure the fw01-dylan is pointing to the correct IP address for syslog. Lets run the following command to set syslog to the new IP address.
set system syslog host 172.16.200.10 facility kern level debug
Now lets check on the settings.
Looks like it still has our old syslog ip lets change that.
delete system syslog host 172.16.50.5
Lets double check to ensure it looks right.
forgot to set the right port! Lets run set system syslog host 172.16.200.10 port 1514 to fix that. Restart syslog after this. Still having issues. Lets remove authpriv and make our file matcht he example provided for the lab.
delete system syslog host 172.16.200.10 facility authpriv
set system syslog host 172.16.200.10 format octet-counted
Looks good, lets make sure to restart syslog.
exit
systemctl restart rsyslog
FW-MGMT-DYLAN Updates
Lets do everything on the management firewall.
configure
show service ssh
set service ssh listen-address 172.16.200.2
delete service ssh listen-address 0.0.0.0
show system syslog
# delete system syslog host 172.16.50.5 Not needed on this FW
set system syslog host 172.16.200.10 facility kern level debug
set system syslog host 172.16.200.10 format octet-counted
set system syslog host 172.16.200.10 port 1514
delete system syslog host 172.16.200.10 facility authpriv
commit
save
exit
systemctl restart rsyslog
logger -n 172.16.200.10 -P 1514 -t testfromfwmgmt message in a bottle
VyOS Firewall Updates
Now let’s let mgmt01-dylan ssh to web server. After reviewing my configurations it seems that the only fw we need to edit is 01. This is because mgmt allows established connections from LAN and allows any connection out at the moment.
set firewall name LAN-to-DMZ rule 20 action accept
set firewall name LAN-to-DMZ rule 20 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 20 destination port 22
set firewall name LAN-to-DMZ rule 20 protocol tcp
set firewall name LAN-to-DMZ rule 20 source address 172.16.200.11
set firewall name LAN-to-DMZ rule 20 description "Allow access to web server from mgmt01-dylan via SSH"
commit
save
We also want to allow web01 to reach out to NTP servers. Let’s edit the firewall rules on fw01-dylan. We will need to adjust the DMZ-to-WAN and WAN-to-DMZ rules. This is because the WAN-to-DMZ only allows port 80 connections. DMZ-to-WAN only allows established related. We will make it so DMZ-to-WAN can allow a destination port 123 connection and WAN-to-DMZ will allow establish related.
configure
set firewall name DMZ-to-WAN rule 10 action accept
set firewall name DMZ-to-WAN rule 10 destination port 123
set firewall name DMZ-to-WAN rule 10 protocol udp
set firewall name DMZ-to-WAN rule 10 description "Allow NTP traffic to leave DMZ to WAN"
set firewall name WAN-to-DMZ rule 1 action accept
set firewall name WAN-to-DMZ rule 1 state established enable
commit
save
Windows Setup
On MGMT01-Dylan we are going to install AD but we need to sync time first. Lets run the following commands to achieve this. Once this is setup we will setup reverse lookup zones for the subnets as well as configure A records for all the hosts in the environment.
w32tm /config /syncfromflags:manual /manualpeerlist:pool.ntp.org
net stop w32time
net start w32time
w32tm /resync
w32tm /query /source
Install-WindowsFeature AD-Domain-Services -IncludeManagmentTools
Install-ADDSForest -DomainName dylan.local
VyOS Firewall Updates for AD
Lets allow connections to the new DC on fw-mgmt-dylan.
configure
set firewall name LAN-to-MGMT rule 40 action accept
set firewall name LAN-to-MGMT rule 40 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 40 source address 172.16.150.50-172.16.150.100
set firewall name LAN-to-MGMT rule 40 description "Allow traffic to the DC"
commit
save
Graylog Setup for Windows
We now need to configure new inputs for Graylog to get Windows logs. We will be using winlog beat to achieve this. Create a new Beats input.
Set the new inputs settings to match the following. Note there is no TLS_KEY_PASSWORD. Graylog just puts those asterisks there.
Now we will update the firewall to allow the new connection.
sudo firewall-cmd --add-port 5044/tcp --permanet
We will be using sidecars as the clients on the end devices. For this we will need to use a token to authenticate with gray log. Lets create a new token now.
Sidecar on Windows
Lets download sidecar on mgmt-dylan. The latest version can be downloaded from the link below. You can then use the commands shown below to install and setup sidecar.
https://github.com/Graylog2/collector-sidecar/releases/
cd C:\Users\dylan\Downloads\
.\graylog_sidecar_installer_1.1.0-1.exe /S -SERVERURL=http://log01-dylan:9000/api -APITOKEN=TOKEN
cd 'C:\Program Files\Graylog\sidecar\'
./graylog-sidecar.exe -service install
./graylog-sidecar.exe -service start
If you mess up when setting up sidecard you can edit the settings by running this command.
notepad.exe C:\Program Files\Graylog\sidecar\sidecar.yml
Graylog Setup for Windows Cont.
If you set up the service correctly on Windows you should see a sidecar reporting in Graylog. The image below shows how it should look.
Finally create a collector configuration as shown below.
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["log01-dylan:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Security
Now we just need to apply the collector configuration to the host.
