CIT 470: Advanced Network and System Administration. Topics. System Logs. Logging

Similar documents
CIT 480: Securing Computer Systems

Configure and Use System Log Files

Advanced Linux System Administra3on

Services, logging, accounting Todd Kelley CST8177 Todd Kelley 1

Syslog and Log Rotate

Configuring System Message Logging

External Alerting with Alert Responses

Configuring System Message Logging

UNIX/Linux Auditing. Baccam Consulting, LLC Training Events

External Alerting for Intrusion Events

Utilities. Introduction. Working with SCE Platform Files. Working with Directories CHAPTER

RHCE BOOT CAMP. System Administration

Configuring System Message Logging

CIT 470: Advanced Network and System Administration. Topics. Workstation Management. Workstations

RHCSA BOOT CAMP. System Administration. Thursday, December 6, 12

Using Fluentd as an alternative to Splunk

Linux Systems Security. Logging and Network Monitoring NETS1028 Fall 2016

Ashutosh Bhadoria Banty Kumar

Syslog Server Configurations

HPE Security ArcSight Connectors

Configure Cisco NAC Profiler Events

Table of Contents 1 Information Center 1-1

SYSLOG. Vladislav Marinov. February 18th, Jacobs University Bremen. Vladislav Marinov SYSLOG 1

RHCSA BOOT CAMP. System Administration

Configuring System Message Logging

CounterACT Syslog Plugin

Monitoring VMWare ESX Server On Microsoft System Center Operations Manager 2007

G54ADM Sample Exam Questions and Answers

syslog: The UNIX System Logger

Saddleback College Business Science Division. Course Syllabus CIMN 240 Fundamental Unix/Linux System Administration

Forescout. Configuration Guide. Version 3.5

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Chapter. Basic Administration. Secrets in This Chapter. Monitoring the System Viewing Log Files Managing Services and Programs Monitoring Disk Usage

Configuring System Message Logging

Admin Guide ( Unix System Administration )

Configuring System Message Logging

Logging & free software

Prerequisites: Students must be proficient in general computing skills but not necessarily experienced with Linux or Unix. Supported Distributions:

op5 LogServer Extension Manual

Q) Q) What is Linux and why is it so popular? Answer - Linux is an operating system that uses UNIX like Operating system...

MSE System and Appliance Hardening Guidelines

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Applying Covering the Tracks from SANS Course SEC 504, Hacker Techniques, Exploits, and Incident Handling, to Mac OS X.

Fundamentals of Linux Platform Security

CS370 Operating Systems

Configuring System Message Logs

System Up and Running. We are now going to shut down the system. Load Average: How Busy the System Is. System Halt (1)

Configuring System Message Logging

CompTIA Exam LX0-102 Linux Part 2 Version: 10.0 [ Total Questions: 177 ]

CARMA Logging. Marc Pound Doxygen ICD at mpound/carma/loggingapi.html. 1. Introduction

Configuring System Message Logging

Introduction to UNIX. Logging in. Basic System Architecture 10/7/10. most systems have graphical login on Linux machines

Booting: ROM vs RAM The term random access memory is somewhat misleading because DRAM, SRAM and ROM all qualify as random access memories We will

55 - LOG Files (See english Linux Magazine September 2000 Page 80)

IT Services IT LOGGING POLICY

Manage Jobs with cron and at

BIOINFORMATICS POST-DIPLOMA PROGRAM SUBJECT OUTLINE Subject Title: OPERATING SYSTEMS AND PROJECT MANAGEMENT Subject Code: BIF713 Subject Description:

Introduction to UNIX/LINUX Security. Hu Weiwei

HPE Security ArcSight Connectors

Basic Shell Commands. Bok, Jong Soon

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Configuring and Running CD Tools

Exam Name: level 1 security.ethics and privacy

Configuring System Message Logs

Method of notifying exchange time of the service life components for PRIMEQUEST

The Scheduler & Hotkeys plugin PRINTED MANUAL

HP-UX System Administration Course Overview. Skills Gained. Who will the Course Benefit?

Bitnami MariaDB for Huawei Enterprise Cloud

Configuring System Message Logs

Bitnami MySQL for Huawei Enterprise Cloud

Advanced Network and System Administration

CIT 470: Advanced Network and System Administration. Topics. Why Document. Documentation

Viewing Log Files. Understanding GSS Logging Levels CHAPTER

Ch 9: Periodic Processes

Centerity Monitor. Technical Guide: Syslog Configuration VERSION 4

RSA NetWitness Logs. IBM AIX Last Modified: Thursday, November 2, Event Source Log Configuration Guide

Trixbox High-Availability with fonebridge Tutorial

RedHat Certified Engineer

This guide consists of the following two chapters and an appendix. Chapter 1 Installing ETERNUSmgr This chapter describes how to install ETERNUSmgr.

Basic UNIX system administration

Configuring System Message Logs

LECTURE 7. Readings: - SSH: The Definitive Guide; D.J. Barret et al.; O Reilly Lecture outline: - SSH. Marco Spaziani Brunella, Manuel Campo

syslog-ng: log correlation and beyond

Managing Broadband Access Center

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

This guide consists of the following two chapters and an appendix. Chapter 1 Installing ETERNUSmgr This chapter describes how to install ETERNUSmgr.

Micro Focus Security ArcSight Connectors. SmartConnector for McAfee Gateway Syslog. Configuration Guide

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

CS615 - Aspects of System Administration. Configuration Management

Introduction. How Does it Work with Autodesk Vault? What is Microsoft Data Protection Manager (DPM)? autodesk vault

Change Management: DYNAMIC NETWORK MAPPING. LinuxWorld San Francisco Security Track. Presented by Joshua D. Abraham.

HP-UX System Administration

Linux Administration

1Z Oracle Linux 5 and 6 System Administration Exam Summary Syllabus Questions

GNU/Linux 101. Casey McLaughlin. Research Computing Center Spring Workshop Series 2018

LOGROTATE(8) System Administrator s Manual LOGROTATE(8)

Linux Interview Questions and Answers

CIT 470: Advanced Network and System Administration. Topics. Mail Policies.

Log Command Reference

Transcription:

CIT 470: Advanced Network and System Administration Logging CIT 470: Advanced Network and System Administration Slide #1 1. System logs 2. Logging policies 3. Finding logs 4. Syslog 5. Syslog servers 6. Log monitoring Topics CIT 470: Advanced Network and System Administration Slide #2 System Logs Logs record status and error conditions. Where do log messages come from? Kernel Accounting system System services Logging methods: Service records own logs (apache, cron). Service uses syslog service to manage logs. CIT 470: Advanced Network and System Administration Slide #3 1

Logging Policies 1. Throw away log data. 2. Save for a while, then throw away. 3. Rotate log files 4. Archive log files CIT 470: Advanced Network and System Administration Slide #4 How to choose a logging policy? 1. Are there any data retention requirements? 2. How much disk space do you have? 3. How quickly do you need to retrieve logs? 4. Could you find the source of a security issue with the logs you keep? CIT 470: Advanced Network and System Administration Slide #5 Throwing Away Not recommended. Leaves you unaware of: Software and hardware problems Security incidents It may take time to detect an incident. Keep logs for at least a month or two. CIT 470: Advanced Network and System Administration Slide #6 2

Rotation Keep backup files for each day/week logfile logfile.1 logfile.2 logfile.3 Rename files each day/week to move old ones back in list. Compress rotated logs to save disk space. Remove/archive logs that are X days old. CIT 470: Advanced Network and System Administration Slide #7 #!/bin/sh Rotation cd /var/log mv logfile.2 logfile.3 mv logfile.1 logfile.2 mv logfile logfile.1 cp /dev/null logfile chmod 600 logfile CIT 470: Advanced Network and System Administration Slide #8 logrotate Program to handle log rotation. Run via /etc/cron.daily. Configured via /etc/logrotate.conf. Options How often to rotate How long to keep logs Compression or not Log file permissions Pre- and post-rotate scripts CIT 470: Advanced Network and System Administration Slide #9 3

logrotate.conf # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old create # uncomment if you want your log files compressed #compress # RPM packages drop log rotation information into include /etc/logrotate.d # no packages own wtmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp rotate 1 } CIT 470: Advanced Network and System Administration Slide #10 Archiving Logs Store logs to archival media (tape.) Archive after X days/weeks. Should be part of regular backup plan. May want to save logs for all hosts together. CIT 470: Advanced Network and System Administration Slide #11 Finding Logs Most logs are stored under /var/log /var/adm Check syslog's configuration /etc/syslog.conf To find other logs, read startup scripts /etc/init.d/* and manuals for services started by scripts. CIT 470: Advanced Network and System Administration Slide #12 4

Finding Logs Log file Program Contents messages syslog Various program/kernel logs. syslog syslog Various program/kernel logs. auth.log su, ssh, login Authorization fail/success. lastlog login, xdm Logins, commands. wtmp login Login accounting data. acct/pacct kernel UNIX process accounting. Xorg.log X-Windows X-Windows failures/info. CIT 470: Advanced Network and System Administration Slide #13 Syslog Comprehensive logging system. Frees programmers from managing log files. Gives sysadmins control over log management. Sorts messages by Sources Importance Routes messages to destinations Files Network Terminals CIT 470: Advanced Network and System Administration Slide #14 Syslog Components Syslog Daemon that does actual logging. Additional daemon, klog, gets kernel messages. openlog, syslog, closelog C library routines to submit logs to syslog. logger User-level program to submit logs to syslog. Can use from shell scripts. CIT 470: Advanced Network and System Administration Slide #15 5

Example Syslog Messages Feb 11 10:17:01 localhost /USR/SBIN/CRON[1971]: (root) CMD ( runparts --report /etc/cron.hourly) Feb 11 10:37:22 localhost -- MARK -- Feb 11 10:51:11 localhost dhclient: DHCPREQUEST on eth1 to 192.168.1.1 port 67 Feb 11 10:51:11 localhost dhclient: DHCPACK from 10.42.1.1 Feb 11 10:51:11 localhost dhclient: bound to 10.42.1.55 -- renewal in 35330 seconds. Feb 11 14:37:22 localhost -- MARK -- Feb 11 14:44:21 localhost mysqld[7340]: 060211 14:44:21 /usr/sbin/mysqld: Normal shutdown Feb 12 04:46:42 localhost sshd[29093]: Address 218.38.30.101 maps to ns.thundernet.co.kr, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Feb 12 04:46:44 localhost sshd[29097]: Invalid user matt from ::ffff:218.38.30.101 CIT 470: Advanced Network and System Administration Slide #16 Configuring Syslog Configured in /etc/syslog.conf Format: selector <Tab> action Ex: mail.info /var/log/mail.log Selector components Source (facility) List of facilities separated by commas or *. Importance (level) Can be none or * CIT 470: Advanced Network and System Administration Slide #17 /etc/syslog.conf # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* # Log cron stuff cron.* /var/log/maillog /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log CIT 470: Advanced Network and System Administration Slide #18 6

Syslog Facilities Facility kern user mail daemon auth lpr cron local0-7 Used By The kernel User processes (default) Mail servers and related software. System daemons (except mail, cron) Security and authorization-related commands. Print server and related commands. Cron daemon. Eight local levels for other programs. CIT 470: Advanced Network and System Administration Slide #19 Syslog Levels Level emerg alert crit err warning notice info debug Meaning Panic situations (hardware failure, crash) Urgent situations Critical situations Non-critical errors. Warnings. Might merit investigation. Informational messages. Debugging (typically enabled temporarily.) CIT 470: Advanced Network and System Administration Slide #20 Syslog Actions Action Meaning filename Write message to file on local machine. @hostname Send message to syslogd on hostname. @ip Send message to syslogd at IP address. user1,user2 Write message to user screen if logged in. * Write message to all logged-in users. CIT 470: Advanced Network and System Administration Slide #21 7

Testing Syslog stu> for i in {debug,info,notice,warning,err,crit,alert,emerg} > do > logger -p daemon.$i "Test message for daemon, level $i" > done stu> tail /var/log/daemon.log Feb 11 15:57:00 localhost stu: Test message for daemon, level debug Feb 11 15:57:00 localhost stu: Test message for daemon, level info Feb 11 15:57:00 localhost stu: Test message for daemon, level notice Feb 11 15:57:00 localhost stu: Test message for daemon, level warning Feb 11 15:57:00 localhost stu: Test message for daemon, level err Feb 11 15:57:00 localhost stu: Test message for daemon, level crit Feb 11 15:57:00 localhost stu: Test message for daemon, level alert Feb 11 15:57:00 localhost stu: Test message for daemon, level emerg CIT 470: Advanced Network and System Administration Slide #22 Syslog Variants Some use m4 macros auth.notice ifdef( LOGHOST, /var/log/authlog, @loghost ) Red Hat Linux variants Allows spaces as separators. New operators: = (this priority only) Ex: mail.=info New operators:! (except this pri and higher) Ex: mail.info,mail.!err CIT 470: Advanced Network and System Administration Slide #23 Syslog NG Free drop-in replacement for syslog. More configurable Save logs to templated location (auto-rotates.) Filter logs based on program, time, message, etc. Message format customization. Allows easy logging to remote database. Improved networking TCP support as well as UDP. Improved security Doesn t trust hostnames in remote messages. TCP transmission permits encrypted tunneling (stunnel.) CIT 470: Advanced Network and System Administration Slide #24 8

Log Servers Collect all syslog data on one server. Allows logging to scale to large networks. Logs can be correlated across machines. Security-sensitive logs not on compromised host. Routers and diskless-hosts must log to a server. Need two syslog.conf files Client: sends all logs across network to server. Server: saves logs to database or local files. CIT 470: Advanced Network and System Administration Slide #25 Log Monitoring Too much data for a human to process. Logs arrive 24x7 too. Use an automatic monitoring program Triggers on patterns found in log. Examples: logwatch, swatch # 3ware logs watchfor /(?i)3w-xxxx.+no longer fault tolerant/ mail=root,subject=lw warn: disk 3ware RAID not fault tolerant throttle 1:00:00,use=regex CIT 470: Advanced Network and System Administration Slide #26 References 1. Michael Bower, Building Secure Servers with Linux, O Reilly, 2005. 2. Aeleen Frisch, Essential System Administration, 3 rd edition, O Reilly, 2002. 3. Jeremy Mate, Log Analysis with Swatch, http://sial.org/howto/logging/swatch/, 2005. 4. Jeremy Mate, Logging with syslog-ng, http://sial.org/howto/logging/syslog-ng/, 2005. 5. Evi Nemeth et al, UNIX System Administration Handbook, 3 rd edition, Prentice Hall, 2001. 6. Shelley Powers et. al., UNIX Power Tools, 3 rd edition, O Reilly, 2002. 7. Syslog-ng FAQ, http://www.campin.net/syslogng/faq.html. CIT 470: Advanced Network and System Administration Slide #27 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback