Lab 2 Logging - LosephCawtonJurtis/SEC-350 GitHub Wiki

Description:

Log01:

• Create custom rsyslog configuration to create a directory structure and names for logfiles based on the host that is sending the file
• Install and configure Splunk to index and display the rsyslog files

Web01:

• Configure to export login event information via rsyslog to log01

FW01:

• Configure to export login event information via rsyslog to log01

Log01

• Re-comment modload and udpserverRun lines in /etc/rsyslog.conf
• Wget config file for logs
• Cd /etc/rsyslog.d
• Wget http://10.0.17.3/sec350/03-sec350.conf
• Systemctl restart rsyslog

RECREATE LOG TEST FROM WEB01 IN LAB01

• Cat /var/log/remote-syslog/web01-henry/DATE (to view results)
• Instal tree
• Sudo yum install tree -y

Web01 Authpriv logging

• Modify /etc/rsyslog.d/sec350.conf
• ADD authpriv.* @172.16.50.5
• Fail to ssh into web01 from rw01
• On log01 view the logs
• Ls cat /var/log/remote-syslog/web01-henry/DATE

FW01 logging (VYOS)

• Adjust config to send auth messages from fw01 to log01
• Set system syslog host 172.16.50.5 facility authpriv level info
• Commit
• Save

Log01 (part2)

• Splunk user: joseph
• Splunk pass: toortoor
• Download and start splunk
• Wget -c http://10.0.17.3/sec350/splunk-8.0.5.rpm