Use syslog server to collect UNIX and Windows logs

 

In large-scale network applications or applications with certain security requirements, you usually need to classify and review system logs. By default, each system will record its own logs on the local hard disk. Although there are also logs, there are many disadvantages: first, it is inconvenient to manage. When the number of servers is large, it is inconvenient to log on to each server to manage and analyze logs, followed by security issues. Once an intruder logs on to the system, he can easily delete all logs, system Security Analysts cannot obtain any intrusion information. Therefore, it is ideal to arrange a dedicated log server in the network to record system logs.

 

1. Record the log information of Unix-type hosts

 

Modify the/etc/syslog. conf file:

 

For example, if you only need to record the system login and logout logs to the remote log server, you only need to modify the following line:

Authpriv. * @ 192.168.10.100

192.168.10.100 is the IP address of the log server. The "@" symbol indicates that the IP address is sent to the remote host.

 

OK. Restart the syslog service:

Linux:/etc/init. d/syslogd restart

BSD:/etc/rc. d/syslogd restart

 

Use logger to test whether the configuration is successful:

Logger-P authpriv. notice "Hello, this is a test"

 

Go to the log server and check that "Hello, this is a test" should have been recorded. Finally, log in and log out several times on the client to check whether the real authpriv information is successfully recorded.

 

Ii. Windows Logging

 

For logs recorded between UNIX hosts, the Protocol, software, and log information formats are similar, so the implementation is simple, but the Windows System Log formats are different, the logging software, methods are different. Therefore, we need third-party software to convert windows logs into Syslog logs and forward them to the syslog server.

Introduction to third-party software evtsys (evntlog to syslog)

 

There are only a few K files, which are very clever. After decompression, there are two files: evtsys.dlland evtsys.exe.

Copy these two files to the C:/Windows/system32 directory.

 

Open a Windows Command Prompt (START-> RUN cmd)

C:/> evtsys-I-H 192.168.10.100

-I indicates that the service is installed as a system service.

-H: Specify the IP address of the log server

If you want to uninstall evtsys, then:

Net stop evtsys

Evtsys-u

 

Start the service:

C:/> Net start evtsys

 

Open the windows Group Policy Editor (START-> Run and enter gpedit. MSC)

 

Go to Windows Settings> Security Settings> Local Policies> Audit Policy to open the windows logs you need to record. Evtsys checks whether a new Windows Log is generated in real time, converts the new log to a recognizable syslogd format, and sends it to the syslogd server through UDP port 3072.

 

OK. All windows configurations are complete. Now configure the syslogd configuration file.

The parameter configuration is the same as above,

The difference is that evtsys sends the information to syslogd logs as a daemon device.

Therefore, you need to add the following to/etc/syslog. conf:

Daemon. Notice |/var/log/filter_log.sh

For more information about syslog recording devices and record levels, see the syslog documentation.