SYS255 Entry for: Week 13 Class Notes - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

This page is a copy of the week 13 notes for syslog and auditd:
Week 13 - Class Notes
Syslog
Default port 514/UDP. Newer versions of syslog applications provide support for TCP and can use any arbitrary port.

Syslog information: https://en.wikipedia.org/wiki/Syslog (Links to an external site.)

Windows
Download Sysmon to your Windows 10 workstation and install it. The website shows how to install it.
https://tinyurl.com/xry8nsfp

Download the Windows NXLog installer and install it on your Windows 10 workstation.
https://tinyurl.com/27eupbsw

After install, replace "C:\Programs Files (x86)\nxlog\conf\nxlog.conf file with the one below:
https://tinyurl.com/y54crvjs (Links to an external site.)

You will need to open notepad as an administrator in order to edit the nxlog.conf file. Take some time to read the comments in the nxlog.conf file.

Linux
Client Configuration to Send Logs to our Remote Server

  1. Install auditd:

sudo apt install auditd

  1. Download the audit configuration to your lnx Linux Workstation
    https://tinyurl.com/26jua8uy (Links to an external site.)

  2. The file above was copied to /etc/audit/rules.d/audit.rules

  3. Then restart the audit service:

sudo service auditd restart

  1. Then to send logs to the remote server edit /etc/rsyslog.conf and add:

module(load="imfile" PollingInterval="10")
input(type="imfile" File="/var/log/audit/audit.log" Tag="tag1" Severity="error" Facility="local7")

near the top of the file.

  1. In order to send all the Logs from our Linux workstation to the log server (our mail server) add:

. @@mail01.dunston.local

Or you can use the IP address.

  1. Restart the rsyslog service:

sudo service rsyslog restart

Setup a server to receive syslog messages or become the Syslog server

  1. Edit the /etc/rsyslog.conf file and uncomment the lines:

Provides TCP syslog reception

$ModLoad imtcp
$InputTCPServerRun 514

  1. Restart the rsyslog service:

sudo service rsyslog restart

  1. Check to be sure it is running by looing for the "shell" in the output.

rsyslogd 9547 root 3u IPv4 1208747 0t0 TCP *:shell (LISTEN)
rsyslogd 9547 root 4u IPv6 1208748 0t0 TCP *:shell (LISTEN)

3a. Another command to get used to is: ss which lists open sockets:

ss -l -n |grep 514
tcp LISTEN 0 25 :514 :
tcp LISTEN 0 25 [::]:514 [::]: