Lab02 Logging - Henryisgreat/TechJournal GitHub Wiki

Log01

• Re-comment modload and udpserverRun lines in /etc/rsyslog.conf
• Wget config file for logs
  • Cd /etc/rsyslog.d
  • Wget http://10.0.17.3/sec350/03-sec350.conf
  • Systemctl restart rsyslog
• RECREATE LOG TEST FROM WEB01 IN LAB01
  • Cat /var/log/remote-syslog/web01-henry/DATE (to view results)
• Instal tree
  • Sudo yum install tree -y

Web01 Authpriv logging

• Modify /etc/rsyslog.d/sec350.conf
  • ADD authpriv.* @172.16.50.5
• Fail to ssh into web01 from rw01
• On log01 view the logs
  • Ls cat /var/log/remote-syslog/web01-henry/DATE

FW01 logging (VYOS)

• Adjust config to send auth messages from fw01 to log01
  • Set system syslog host 172.16.50.5 facility authpriv level info
  • Commit
  • Save

Log01 (Cont)

• Splunk user: henry
• Splunk pass: *******
• Download and start splunk
  • Wget -c http://10.0.17.3/sec350/splunk-8.0.5.rpm