Topics. CIT 470: Advanced Network and System Administration. Logging Policies. System Logs. Throwing Away. How to choose a logging policy?



Similar documents
Syslog & xinetd. Stephen Pilon

syslog - centralized logging

CSE/ISE 311: Systems Administra5on Logging

CSE 265: System and Network Administration

Logging with syslog-ng, Part One

Linux System Administration. System Administration Tasks

Linux logging and logfiles monitoring with swatch

NAS 272 Using Your NAS as a Syslog Server

Presented by Henry Ng

Configuring System Message Logging

Network Monitoring & Management Log Management

Network Monitoring & Management Log Management

Network Monitoring & Management Log Management

Configuring System Message Logging

CERT-In Indian Computer Emergency Response Team Handling Computer Security Incidents

System Administration

The Ins and Outs of System Logging Using Syslog

Security Correlation Server Quick Installation Guide

Red Condor Syslog Server Configurations

1 Logging in unix, linux, OS-X

Computer Security DD2395

CS 392/CS Computer Security. Module 17 Auditing

Security Correlation Server Quick Installation Guide

Guidelines for Auditing and Logging

EMC VNX Version 8.1 Configuring and Using the Audit Tool on VNX for File P/N Rev 01 August, 2013

Cisco Setting Up PIX Syslog

Users Manual OP5 Logserver 1.2.1

Syslog (Centralized Logging and Analysis) Jason Healy, Director of Networks and Systems

Development of a System Log Analyzer

Logging and Log Analysis - The Essential. kamal hilmi othman NISER

Linux System Administration on Red Hat

SYSLOG 1 Overview... 1 Syslog Events... 1 Syslog Logs... 4 Document Revision History... 5

SSL Tunnels. Introduction

Monitoring Clearswift Gateways with SCOM

What is included in the ATRC server support

syslog-ng 3.0 Monitoring logs with Nagios

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

NTP and Syslog in Linux. Kevin Breit

Topics. CIT 470: Advanced Network and System Administration. Why Monitoring? Why Monitoring? Historical Monitoring Processes. Historical Monitoring

How to Tunnel Remote Desktop Through SSH on a Windows Computer

Configuring LocalDirector Syslog

Linux Syslog Messages in IBM Director

Using an Open Source Framework to Catch the Bad Guy. Norman Mark St. Laurent Senior Solutions Architect, Red Hat

Eventlog to Syslog v4.5 Release 4.5 Last revised September 29, 2013

Configuring System Message Logging

Avaya Syslog Implementation Guide

How To Analyze Logs On Aloha On A Pcode On A Linux Server On A Microsoft Powerbook (For Acedo) On A Macbook Or Ipad (For An Ubuntu) On An Ubode (For Macrocess

CIT 470: Advanced Network and System Administration. Topics. Why Monitoring? System Monitoring

Syslog Monitoring Feature Pack

Getting Started in Red Hat Linux An Overview of Red Hat Linux p. 3 Introducing Red Hat Linux p. 4 What Is Linux? p. 5 Linux's Roots in UNIX p.

EventTracker Windows syslog User Guide

BF2CC Daemon Linux Installation Guide

log, syslog, logrotate SNMP tools for monitoring

Linux Operating System Security

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

IT6204 Systems & Network Administration. (Optional)

VMware vcenter Log Insight Security Guide

An Introduction to Event Modeling and Correlation. Stephen Rondeau Institute of Technology

Scheduled Tasks and Log Management

Management, Logging and Troubleshooting

Red Hat Linux Administration II Installation, Configuration, Software and Troubleshooting

CIT 470: Advanced Network and System Administration. Topics. Help Desk Life. Help Desks

logstash The Book Log management made easy James Turnbull

Chapter 10: System monitoring and logging. Chapter 10 System monitoring and logging

Tools. (Security) Tools. Network Security I-7262a

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Runtime Monitoring & Issue Tracking

Avira Update Manager User Manual

How to Push CDR Files from Asterisk to SDReporter. September 27, 2013

Chapter 11 Phase 5: Covering Tracks and Hiding

How To Configure Syslog over VPN

RH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux..

Using Network Attached Storage with Linux. by Andy Pepperdine

Junos OS. System Log Messages. Release Modified: Copyright 2015, Juniper Networks, Inc.

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

4PSA Total Backup User's Guide. for Plesk and newer versions

Centralizing Syslog with Syslog-ng and Logmuncher. Russell Adams

Installing and Configuring Websense Content Gateway

System Log Setup (RTA1025W Rev2)

Device Integration: Checkpoint Firewall-1

GroundWork Monitor Open Source Installation Guide

Installing Virtual Coordinator (VC) in Linux Systems that use RPM (Red Hat, Fedora, CentOS) Document # 15807A1-103 Date: Aug 06, 2012

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

Linux Crontab: 15 Awesome Cron Job Examples

The syslog-ng Premium Edition 5LTS

PLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

Reliable log data transfer

FINFISHER: FinFly ISP 2.0 Infrastructure Product Training

Centralized Logging With syslog ng. Ryan Ma6eson h6p://prefetch.net

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

RSA Authentication Manager

Configuring Logging. Information About Logging CHAPTER

Transcription:

Topics CIT 470: Advanced Network and System Administration Logging 1. System logs 2. Logging policies 3. Finding logs 4. Syslog 5. Syslog servers 6. Log monitoring CIT 470: Advanced Network and System Administration Slide #1 CIT 470: Advanced Network and System Administration Slide #2 System Logs Logs record status and error conditions. Where do log messages come from? Kernel Accounting system System services Logging methods: Service records own logs (apache, cron). Service uses syslog service to manage logs. Logging Policies 1. Throw away log data. 2. Save for a while, then throw away. 3. Rotate log files 4. Archive log files CIT 470: Advanced Network and System Administration Slide #3 CIT 470: Advanced Network and System Administration Slide #4 How to choose a logging policy? 1. Are there any data retention requirements? 2. How much disk space do you have? 3. How quickly do you need to retrieve logs? 4. Could you find the source of a security issue with the logs you keep? Throwing Away Not recommended. Leaves you unaware of: Software and hardware problems Security incidents It may take time to detect an incident. Keep logs for at least a month or two. CIT 470: Advanced Network and System Administration Slide #5 CIT 470: Advanced Network and System Administration Slide #6 1

Rotation Keep backup files for each day/week logfile logfile.1 logfile.2 logfile.3 Rename files each day/week to move old ones back in list. Compress rotated logs to save disk space. Remove/archive logs that are X days old. CIT 470: Advanced Network and System Administration Slide #7 #!/bin/sh Rotation cd /var/log mv logfile.2 logfile.3 mv logfile.1 logfile.2 mv logfile logfile.1 cp /dev/null logfile chmod 600 logfile CIT 470: Advanced Network and System Administration Slide #8 logrotate Program to handle log rotation. Run via /etc/cron.daily. Configured via /etc/logrotate.conf. Options How often to rotate How long to keep logs Compression or not Log file permissions Pre- and post-rotate scripts CIT 470: Advanced Network and System Administration Slide #9 logrotate.conf # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old create # uncomment if you want your log files compressed #compress # RPM packages drop log rotation information into include /etc/logrotate.d # no packages own wtmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp rotate 1 } CIT 470: Advanced Network and System Administration Slide #10 Archiving Logs Store logs to archival media (tape.) Archive after X days/weeks. Should be part of regular backup plan. May want to save logs for all hosts together. Finding Logs Most logs are stored under /var/log /var/adm Check syslog's configuration /etc/syslog.conf To find other logs, read startup scripts /etc/init.d/* and manuals for services started by scripts. CIT 470: Advanced Network and System Administration Slide #11 CIT 470: Advanced Network and System Administration Slide #12 2

Finding Logs Log file Program Contents messages syslog Various program/kernel logs. syslog syslog Various program/kernel logs. auth.log su, ssh, login Authorization fail/success. lastlog login, xdm Logins, commands. wtmp login Login accounting data. acct/pacct kernel UNIX process accounting. Xorg.log X-Windows X-Windows failures/info. CIT 470: Advanced Network and System Administration Slide #13 Syslog Comprehensive logging system. Frees programmers from managing log files. Gives sysadmins control over log management. Sorts messages by Sources Importance Routes messages to destinations Files Network Terminals CIT 470: Advanced Network and System Administration Slide #14 Syslog Components Syslog Daemon that does actual logging. Additional daemon, klog, gets kernel messages. openlog, syslog, closelog C library routines to submit logs to syslog. logger User-level program to submit logs to syslog. Can use from shell scripts. Example Syslog Messages Feb 11 10:17:01 localhost /USR/SBIN/CRON[1971]: (root) CMD ( runparts --report /etc/cron.hourly) Feb 11 10:37:22 localhost -- MARK -- Feb 11 10:51:11 localhost dhclient: DHCPREQUEST on eth1 to 192.168.1.1 port 67 Feb 11 10:51:11 localhost dhclient: DHCPACK from 10.42.1.1 Feb 11 10:51:11 localhost dhclient: bound to 10.42.1.55 -- renewal in 35330 seconds. Feb 11 14:37:22 localhost -- MARK -- Feb 11 14:44:21 localhost mysqld[7340]: 060211 14:44:21 /usr/sbin/mysqld: Normal shutdown Feb 12 04:46:42 localhost sshd[29093]: Address 218.38.30.101 maps to ns.thundernet.co.kr, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Feb 12 04:46:44 localhost sshd[29097]: Invalid user matt from ::ffff:218.38.30.101 CIT 470: Advanced Network and System Administration Slide #15 CIT 470: Advanced Network and System Administration Slide #16 Configuring Syslog Configured in /etc/syslog.conf Format: selector <Tab> action Ex: mail.info /var/log/mail.log Selector components Source (facility) List of facilities separated by commas or *. Importance (level) Can be none or * /etc/syslog.conf # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* # Log cron stuff cron.* # Everybody gets emergency messages *.emerg * /var/log/maillog /var/log/cron # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log CIT 470: Advanced Network and System Administration Slide #17 CIT 470: Advanced Network and System Administration Slide #18 3

Syslog Facilities Syslog Levels Facility Used By Level Meaning kern The kernel emerg Panic situations (hardware failure, crash) user User processes (default) alert Urgent situations mail Mail servers and related software. crit Critical situations daemon System daemons (except mail, cron) err Non-critical errors. auth Security and authorization-related commands. warning Warnings. lpr Print server and related commands. notice Might merit investigation. cron Cron daemon. info Informational messages. local0-7 Eight local levels for other programs. debug Debugging (typically enabled temporarily.) CIT 470: Advanced Network and System Administration Slide #19 CIT 470: Advanced Network and System Administration Slide #20 Syslog Actions Action Meaning filename Write message to file on local machine. @hostname Send message to syslogd on hostname. @ip Send message to syslogd at IP address. user1,user2 Write message to user screen if logged in. * Write message to all logged-in users. Testing Syslog stu> for i in {debug,info,notice,warning,err,crit,alert,emerg} > do > logger -p daemon.$i "Test message for daemon, level $i" > done stu> tail /var/log/daemon.log Feb 11 15:57:00 localhost stu: Test message for daemon, level debug Feb 11 15:57:00 localhost stu: Test message for daemon, level info Feb 11 15:57:00 localhost stu: Test message for daemon, level notice Feb 11 15:57:00 localhost stu: Test message for daemon, level warning Feb 11 15:57:00 localhost stu: Test message for daemon, level err Feb 11 15:57:00 localhost stu: Test message for daemon, level crit Feb 11 15:57:00 localhost stu: Test message for daemon, level alert Feb 11 15:57:00 localhost stu: Test message for daemon, level emerg CIT 470: Advanced Network and System Administration Slide #21 CIT 470: Advanced Network and System Administration Slide #22 Syslog Variants Some use m4 macros auth.notice ifdef( LOGHOST, /var/log/authlog, @loghost ) Red Hat Linux variants Allows spaces as separators. New operators: = (this priority only) Ex: mail.=info New operators:! (except this pri and higher) Ex: mail.info,mail.!err CIT 470: Advanced Network and System Administration Slide #23 Syslog NG Free drop-in replacement for syslog. More configurable Save logs to templated location (auto-rotates.) Filter logs based on program, time, message, etc. Message format customization. Allows easy logging to remote database. Improved networking TCP support as well as UDP. Improved security Doesn t trust hostnames in remote messages. TCP transmission permits encrypted tunneling (stunnel.) CIT 470: Advanced Network and System Administration Slide #24 4

Log Servers Collect all syslog data on one server. Allows logging to scale to large networks. Logs can be correlated across machines. Security-sensitive logs not on compromised host. Routers and diskless-hosts must log to a server. Need two syslog.conf files Client: sends all logs across network to server. Server: saves logs to database or local files. Log Monitoring Too much data for a human to process. Logs arrive 24x7 too. Use an automatic monitoring program Triggers on patterns found in log. Examples: logwatch, swatch # 3ware logs watchfor /(?i)3w-xxxx.+no longer fault tolerant/ mail=root,subject=lw warn: disk 3ware RAID not fault tolerant throttle 1:00:00,use=regex CIT 470: Advanced Network and System Administration Slide #25 CIT 470: Advanced Network and System Administration Slide #26 References 1. Michael Bower, Building Secure Servers with Linux, O Reilly, 2005. 2. Aeleen Frisch, Essential System Administration, 3 rd edition, O Reilly, 2002. 3. Jeremy Mate, Log Analysis with Swatch, http://sial.org/howto/logging/swatch/, 2005. 4. Jeremy Mate, Logging with syslog-ng, http://sial.org/howto/logging/syslog-ng/, 2005. 5. Evi Nemeth et al, UNIX System Administration Handbook, 3 rd edition, Prentice Hall, 2001. 6. Shelley Powers et. al., UNIX Power Tools, 3 rd edition, O Reilly, 2002. 7. Syslog-ng FAQ, http://www.campin.net/syslogng/faq.html. CIT 470: Advanced Network and System Administration Slide #27 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information