LOG Files are crucial to auditing linux. Including not only error handling, but seeing who logged in when and what did he do, emails in and out, startup issues, server issues and more.
Previously we found that log list in /etc/rsyslog.conf.
More Recently in /etc/rsyslog.d/50-default.conf
grep "/var/log" /etc/rsyslog.d/50-default.conf
----------------------------
What can be great function to us, is to centralize logging of multiple servers to one single server. If you were running apache/mysql/GLPI under Debian and Snort/Nagios under 1 or 2 CentOS, you can have all of the logs under your Ubuntu Server:
First you edit simply your /etc/rsyslog.conf file on your central server.
You simply have to untag two lines under "provides UDP syslog reception". UDP as it is less gourmand in case of network resources than a TCP protocol, what can be crucial when running a lot of local servers. Then we restart the logging with :
systemctl restart rsyslog
With an ss -lptun we can check open ports:
 |
| Port 514 ready for UDP reception, as marked in rsyslog |
---------------------
Under a nude server, like what we need for nagios of glpi, rsyslog is not necessary installed. We must apt install rsyslog . This is what I did for my Debian server. Then edit again rsyslog.conf on this server.
Symply add a line of authpriv.* @192.168.1.40:514 -> to log our stuff to our goal server. @@ --> tcp logging @ --> udp logging.
systemctl restart rsyslog
----------------------------------
We can return to our goal server and run a tail and leave it open.
tail -f /var/log/auth.log
Then for instance initiate an SSH connection, one way or another from or to our client server. It will be logged:
ssh 192.168.1.33
We can now see all actions of authentication logged onto our server. This is how simple it is, but in further blogs, we will dive deeper into auditing our linux server.
------------------------------------
Then in /var/log/auth.log we can find info on logins and ssh connections
(/var/log/secure in redhat/centos or probably other non-rsyslog systems)
- grep login /var/log/auth.log
- grep ssh /var/log/auth.log
- journalctl | grep login # for even more dated history on login
- journalctl | grep ssh # for even more dated history on ssh
-----------------------------------
SYSTEM / START INFO on NIC (Network interface cards)
# dmesg = 'display message'
dmesg | grep e1000 # for ethernet adapter detect par kernel
# Info on Detection of NIC
kern.log
grep e1000 /var/log/kern.log
# Info on config of NIC
syslog
grep enp0s3 /var/log/syslog
INFO on REBOOT connections
# in file wtmp --> it is a binary file
# used by log file reboot in other OSs
last # to see this under Ubuntu / Debian
-------------------------------
W/HO is Connected Right Now and doing what
who # who is connected right now
w # work who is doing what
_dnhyper
No comments:
Post a Comment