Lab 2.2 Syslog Organization on log01 - lizzy9596/my-tech-journal GitHub Wiki
Syslog Organization on log01
In this lab, I learned how to do logging.
Parts:
Set up mgmt01
To start I made sure mgmt01 was connected to the LAN network, I then opened the GUI and configured the system as followed.
I then ran the command sudo -i to run commands in root. I then changed the password of root using passwd and created a new user:
Set up NAT and DNS forwarding to LAN
I need to change the firewalls to get mgmt01 to connect to the internet. To start I opened fw01 and entered the configuration mode.
To create a NAT rule for LAN to WAN I ran the below:
Next, I configured the DNS forwarding to the DMZ network:
After I was able to ping google!
Remote Desktop install
Following the tutorial in the lab I was then able to set up a remote desktop on the system. I first logged into chrome under my email. After logging in I navigated to remotedesktop.google.com. Here I went to set up via SSH and downloaded the Debian distribution. I then navigated to the download folder cd /home/elizabeth/Downloads. I then ran the command sudo apt install ./chrome-remote-desktop_current_amd64.deb. to download the remote desktop.
While trying to download I ran into a few errors, while trying to run the configuration command I got this error.
log01: Log Organization on log01
Now I went into log01 and went into my rsyslog.conf file, by running the command sudo vi /etc/rsyslog.conf. I commented out the lines from last lab.
For the next part of the configuration I sshed into log01 from mgmt01 using ssh 172.16.50.5. After saving I created a new configuration file using sudo vi /etc/rsylog.d/03-sec350.conf and filling it with the contents from this repository
(linked in lab). After configuring I restarted rsyslog.
I then went into web01 and ran the command logger -t SEC350 Testing web01->log01 custom rsyslog configuration to send a log.
Next I ran the following commands on mgmt01 to see the logs created:
web01: Logging Authorization Events
On web01 I modified the rsyslog client configuration so events are forwarded to my log server. To start I ran the command sudo nano /etc/rsyslog.d/sec350-client.conf. I then added the following:
I then restarted rsyslog and ssh into web01 from rw01. Making sure to have a few failed attempts to get logs. After generating logs I ssh into log01 from mgmt01 to view the logs generated. I then ran this command to see the logs. cat /var/log/remote-syslog/web01-elizabeth/.
I had some issues generating logs I only got the following:
After some troubleshooting I realized it was a typo in my configuration file, I'm now able to view the log messages.
fw01: Logging Authorization Events
To start I ssh into the firewall from mgmt01. After I went into the yvos configuration to send authentication messages from fw01 to log01. Using the below commands.
Next I needed to generate some failed login attempts. I simply repeated used the wrong credentials to try and ssh into the firewall
Install Tree on log01
To view the logs I needed to first install tree on log01. To do this I had to first configure the base settings following this guide. I went into the file using /etc/yum.repos.d/CentOS-Base.repo. I uncommented the base URL lines and changed mirror to vault. The file is now as shown:
I was then able to run sudo yum install tree
After installation I was able to see the logs: