|
|
| Line 1: |
Line 1: |
| = Ülesande püstitus = | | = asd = |
| Juhendi eesmärgiks on luua keskne logihaldus Rsyslog ja SEC näitel ning esmane logi seire.
| |
| | |
| = Kasutatud tarkvara ja virtuaalmasinad =
| |
| == Tarkvara ==
| |
| Rsyslog 5.8.6<br/>
| |
| SEC 2.5.3
| |
| == Virtuaalmasinad ==
| |
| 1) Keskne logiserver: Ubuntu Server 64bit versioon 12.04.3 LTS. <br/>
| |
| IP aadress: 192.168.56.201
| |
| <br/>
| |
| 2) Klient: Ubuntu Desktop 64bit versioon 13. <br/>
| |
| IP aadress: 192.168.56.101
| |
| = Logiserveri seadistamine =
| |
| == Rsyslog [http://www.canonical.com/sites/default/files/active/Whitepaper-CentralisedLogging-v1.pdf]==
| |
| 1) Luua uus virtuaalmasin unikaalse IP-aadressiga.<br/>
| |
| <br/>
| |
| 2) Seejärel tuleks luua kaust logide jaoks.<br/>
| |
| ''NB! Kõik käsklused peaksid olema SUDO õigustes''
| |
| <br/>
| |
| <source lang="bash">
| |
| mkdir /var/log/remote
| |
| </source>
| |
| 3) Pärast seda tuleks anda kaustale grupi automaatse kirjutamise õigus
| |
| <br/>
| |
| <source lang="bash">
| |
| chmod g+ws /var/log/remote/
| |
| </source>
| |
| 4) Samuti tuleks ka kausta omanik ära vahetada, et syslogil oleks täiendavad õigused.
| |
| <source lang="bash">
| |
| chown syslog:adm /var/log/remote/
| |
| </source>
| |
| 5) Seejärel tuleks lisada konfiguratsioonifaili(/etc/rsyslog.conf) järgnevad read:
| |
| <source lang="bash">
| |
| # provides TCP syslog reception
| |
| $ModLoad imtcp
| |
| #default port 514 do not work untill rsyslog has been updated.
| |
| $InputTCPServerRun 1025
| |
| | |
| # This one is the template to generate the log filename dynamically, depending on the client's IP address.
| |
| $template FILENAME,"/var/log/remote/%fromhost-ip%/syslog.log"
| |
| | |
| # Log all messages to the dynamically formed file. Now each clients log (192.168.56.*), will be under a separate directory which is formed by the template FILENAME.
| |
| *.* ?FILENAME
| |
| </source>
| |
| 6) Pärast seda tuleks kliendi masina konfiguratsioonifaili(/etc/rsyslog.conf) lisada.
| |
| <source lang="bash">
| |
| # provides TCP syslog reception
| |
| $ModLoad imtcp
| |
| #default port 514 do not work untill rsyslog has been updated.
| |
| $InputTCPServerRun 1025
| |
| | |
| # Provides TCP forwarding.
| |
| #default port 514 do not work untill rsyslog has been updated.
| |
| *.* @@192.168.56.201:1025
| |
| </source>
| |
| | |
| = Kasutatud kirjandus =
| |
| http://www.canonical.com/sites/default/files/active/Whitepaper-CentralisedLogging-v1.pdf <br/>
| |
| http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/ <br/>
| |
| http://www.occam.com/sa/CentralizedLogging2012.pdf
| |
