How to Use Syslog To record UNIX and Windows logs

Article Title: How to Use Syslog To record UNIX and Windows logs. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

In large-scale network applications or applications with certain security requirements, you usually need to classify and review system logs. By default, each system will record its own logs on the local hard disk. Although there are also logs, there are many disadvantages: first, it is inconvenient to manage. When the number of servers is large, it is inconvenient to log on to each server to manage and analyze logs, followed by security issues. Once an intruder logs on to the system, he can easily delete all logs, system Security Analysts cannot obtain any intrusion information.

Therefore, it is ideal to arrange a dedicated log server in the network to record system logs. This document uses the syslog in FreeBSD as an example to describe how to use the syslogd of freebsd to record log information from UNIX and windows.

　1. Record the log information of UNIX-type hosts

First, you must configure Freebsd syslog so that it can receive log information from other servers.

Add the following to/etc/rc. conf:

Syslogd_flags = "-4-A 0/0 :*"

Note: The syslogd parameter settings of freebsd are placed in the syslogd_flags variable in the/etc/rc. conf file.

Freebsd's default parameter for syslogd is syslogd_flags = "-s" (you can see it in/etc/defaults/rc. conf)

The default parameter-s indicates that the UDP port listener is enabled, but only the UDP port of the local machine is listened, and the log information from other hosts is rejected. If there are two ss (-ss), it means that no UDP port is opened, and logs are recorded only on the/dev/log Device of the current machine.

Description of modified parameters:

-4 only listens to IPv4 ports. If your network is an IPv6 protocol, you can change it to-6.

-A 0/0: * accept the log information sent from all ports in all CIDR blocks.

If you only want syslogd to receive log information from a specific network segment, write-a 192.168.1.0/24 :*

-A 192.168.1.0/24:514 or-a 192.168.1.0/24 indicates that only the log information from port 514 of the CIDR block is received, which is also the default setting of the syslogd process of freebsd, that is to say, freebsd determines the port on which the sender sends information when receiving log information from other hosts. If the sender does not send the information on port 514, freebsd's syslogd rejects the message. That is, by default, port 514 of the remote IP address must be sent to port 514 of the local IP address,

Add * to the parameter to allow receiving log information from any port. In this case, when recording UNIX host information, you do not feel any difference because UNIX hosts use port 514 to send and receive syslogs. But it is very important to receive windows information. Because the syslog software in windows does not need to send information on port 514, this will cause the default syslogd to refuse to receive information. I also used syslogd in linux to configure the log server. I found that syslogd in linux does not have so many restrictions. I only need to add the-r parameter to syslogd, it can receive syslog information from any port on any host. In this regard, freebsd's default configuration is more secure than linux.

After modifying the syslogd parameter, we need to modify the/etc/syslog. conf file to specify the storage path of log information,

For example, if you want to record the remote login and logout information of other systems and specify the log storage path, you need to modify the following lines:

Authpriv. */var/log/testlog

This means that the system login and logout logs (including the local system login and logout logs) are stored in the/var/log/testlog file.

Of course, this is the most simple practice, because it will store the login and logout information of all servers in a file, which is inconvenient to check. The common practice is to use a script, sort the received information and send it to different files.

 

[1] [2] [3] Next page