Keskne logihaldus Rsyslog ja SEC näitel: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Kroom (talk | contribs)
No edit summary
Kroom (talk | contribs)
Line 72: Line 72:
4) Reegli faili sisuks tuleks lisada
4) Reegli faili sisuks tuleks lisada
<source lang="bash">
<source lang="bash">
type=PairWithWindow
type=PairWithWindow # Kasutatakse kahte tingimust (mustrit)
ptype=RegExp
ptype=RegExp
pattern=sshd\[\d+\]: Failed .+ for (\S+) from ([\d.]+) port \d+ ssh2
pattern=sshd\[\d+\]: Failed .+ for (\S+) from ([\d.]+) port \d+ ssh2 # muster, mida otsitakse
desc=User $1 has been unable to log in from $2 over SSH during 1 minute
desc=User $1 has been unable to log in from $2 over SSH during 1 minute # kirjeldus
action=pipe ' %t: %s' /bin/echo %t: %s >> /etc/test
action=pipe ' %t: %s' /bin/echo %t: %s >> /etc/test
ptype2=RegExp
ptype2=RegExp
pattern2=sshd\[\d+\]: Accepted .+ for $1 from $2 port \d+ ssh2
pattern2=sshd\[\d+\]: Accepted .+ for $1 from $2 port \d+ ssh2  
desc2=SSH login successful for %1 from %2 after initial failure
desc2=SSH login successful for %1 from %2 after initial failure
action2=logonly
action2=logonly
window=60
window=60 #ajaintervall sekundites
</source>
</source>
Antud reegel logib SSH pordi pihta tehtud ebaõnnestunuid päringuid.
Antud reegel logib SSH pordi pihta tehtud ebaõnnestunuid päringuid.

Revision as of 19:20, 10 January 2014

Ülesande püstitus

Juhendi eesmärgiks on luua keskne logihaldus Rsyslog ja SEC näitel ning esmane logi seire.

Kasutatud tarkvara ja virtuaalmasinad

Tarkvara

Rsyslog 5.8.6
SEC 2.5.3

Virtuaalmasinad

1) Keskne logiserver: Ubuntu Server 64bit versioon 12.04.3 LTS.
IP aadress: 192.168.56.201
2) Klient: Ubuntu Desktop 64bit versioon 13.
IP aadress: 192.168.56.101

Logiserveri seadistamine

Rsyslog [1]

1) Luua uus virtuaalmasin unikaalse IP-aadressiga.

2) Seejärel tuleks luua kaust logide jaoks.
NB! Kõik käsklused peaksid olema SUDO õigustes

mkdir /var/log/remote

3) Pärast seda tuleks anda kaustale grupi automaatse kirjutamise õigus

chmod g+ws /var/log/remote/

4) Samuti tuleks ka kausta omanik ära vahetada, et syslogil oleks täiendavad õigused.

chown syslog:adm /var/log/remote/

5) Seejärel tuleks lisada konfiguratsioonifaili(/etc/rsyslog.conf) järgnevad read:

# provides TCP syslog reception
$ModLoad imtcp
#default port 514 do not work untill rsyslog has been updated.
$InputTCPServerRun 1025

# This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/remote/%fromhost-ip%/syslog.log"

# Log all messages to the dynamically formed file. Now each clients log (192.168.56.*), will be under a separate directory which is formed by the template FILENAME.
*.* ?FILENAME

6) Pärast seda tuleks kliendi masina konfiguratsioonifaili(/etc/rsyslog.conf) lisada.

# provides TCP syslog reception
$ModLoad imtcp
#default port 514 do not work untill rsyslog has been updated.
$InputTCPServerRun 1025

# Provides TCP forwarding.
#default port 514 do not work untill rsyslog has been updated.
 *.* @@192.168.56.201:1025

SEC [2]

1) Installige SEC

apt-get update
apt-get install sec

2) Seejärel tuleks luua kaust

mkdir /etc/sec

3) Pärast seda tuleks luua reegli fail

vim /etc/sec/rule1.conf

4) Reegli faili sisuks tuleks lisada

type=PairWithWindow # Kasutatakse kahte tingimust (mustrit)
ptype=RegExp
pattern=sshd\[\d+\]: Failed .+ for (\S+) from ([\d.]+) port \d+ ssh2 # muster, mida otsitakse
desc=User $1 has been unable to log in from $2 over SSH during 1 minute # kirjeldus
action=pipe ' %t: %s' /bin/echo %t: %s >> /etc/test
ptype2=RegExp
pattern2=sshd\[\d+\]: Accepted .+ for $1 from $2 port \d+ ssh2 
desc2=SSH login successful for %1 from %2 after initial failure
action2=logonly
window=60 #ajaintervall sekundites

Antud reegel logib SSH pordi pihta tehtud ebaõnnestunuid päringuid. 5) Käivitage reegel järgmise käsuga

perl /usr/bin/sec -conf=/etc/sec/reegel1.conf -input=/var/log/remote/192.168.56.101/syslog.log

Kasutatud kirjandus

http://www.canonical.com/sites/default/files/active/Whitepaper-CentralisedLogging-v1.pdf
http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/
http://www.occam.com/sa/CentralizedLogging2012.pdf