Linux authentication methods for logging UNIX and Windows logs with Syslog

Linux authentication using syslog to record UNIX and Windows logs, it is a good idea to schedule a dedicated log server in the network to record system logs. This article takes the syslog under FreeBSD as an example and describes how to use the syslogd of FreeBSD to record log information from UNIX and Windows.

In large-scale network applications or applications that have certain requirements for security, it is often necessary to classify and audit the log of the system, by default, each system will record its own log on the local hard disk, so that although it can also have a log record, but there are many shortcomings: first of all, the management inconvenience, When the number of servers more, log on to each server to manage the analysis log will be very inconvenient, followed by security issues, once the intruder login system, he can easily delete all logs, system security analysts can not get any intrusion information.

Therefore, it is a good idea to arrange a dedicated log server in the network to record the system log. This article takes the syslog under FreeBSD as an example and describes how to use the syslogd of FreeBSD to record log information from UNIX and Windows.

I. Recording the log information of UNIX class host

The FreeBSD syslog needs to be configured first, allowing it to receive log information from other servers.

Add in/etc/rc.conf:

syslogd_flags= " -4-a 0/0:*"

Description: The SYSLOGD parameter setting of FreeBSD is placed in the syslogd_flags variable of the/etc/rc.conf file

The default setting parameter of FreeBSD for SYSLOGD is syslogd_flags= "-S" (can be seen in/etc/defaults/rc.conf)

The default parameter-s means that UDP port listening is turned on, but only the UDP port on the local computer is listening, and the log information from other hosts is denied. If it is two SS, that is-SS, does not open any UDP port, only on the machine with/dev/log device to record log.

The Modified parameter description:

-4 Only listen to IPV4 port, if your network is IPV6 protocol, can be replaced by-6

-A 0/0:* accepts log messages sent from all ports on all network segments.

If you only want SYSLOGD to receive log information from a specific network segment, you can write this:-a 192.168.1.0/24:*

-A 192.168.1.0/24:514 or-a 192.168.1.0/24 indicates that only the log information from the 514 port of the segment is received, which is the default setting of the FreeBSD syslogd process, which means that FreeBSD When receiving log information from other hosts, it will determine the port where the message is sent, and if the other party is not using 514 port information, then FreeBSD SYSLOGD will refuse to receive the message. That is, the 514 port of the remote IP must be sent to 514 of the local IP by default:

adding * to the parameter indicates that log information from any port is allowed to be received. This way, the Unix class host information is not sensed when it is recorded, because UNIX class hosts send and receive syslog messages with Port 514. But when it comes to receiving Windows information, it's very important. Because Windows Syslog software does not send information on port 514, this causes the syslogd of the default configuration to refuse to receive information. The author also in Linux system with Linux syslogd to configure Log server, found that Linux under the syslogd there is not so many restrictions, as long as the SYSLOGD plus-r parameter, you can receive from any host any port syslog information, In this regard, FreeBSD's default configuration security is slightly higher than Linux.

After modifying the SYSLOGD parameter, we need to modify the/etc/syslog.conf file, specify the log information storage path,

For example, if you want to log remote log-out information for other systems and specify the log storage path, you need to modify the following line:

authpriv.*/var/log/testlog

This means that the system's login log-out logs (including native system log-in logs) are stored in the/var/log/testlog file.

Of course, this is the most basic approach, because it will be all the server log out information in a file, look at the time is inconvenient, it is common practice is to use a script, docking received information to simple sorting, and then sent to different files.

The following settings:

authpriv.* |/var/log/filter_log.sh

Precede the record target with the "|" means to give the received information to the following program processing, the program can be a special log processing software, or it can be a small script written by oneself, for example:

#!/bin/sh

Read Stuff

Server= ' echo $stuff |awk ' {print $4} '

echo $stuff >>/var/log/login_log/$SERVER. Log

This simple script is based on IP, first read the log information with read, and use awk to remove the fourth field (that is, the IP address or the host name in the field), the field is the file name of the host's log.

In this way, log from 192.168.1.1 is recorded in the 192.168.1.1.log file, and the log from 192.168.1.2 is recorded in a 192.168.1.2.log file, which is easier to analyze and categorize. Of course, this is the simplest example, the reader can write a better script according to their own needs, and even the log information is inserted into the database, so that the management and analysis of the log is more convenient.

Finally restart the SYSLOGD service for the configuration to take effect:

/ETC/RC.D/SYSLOGD restart

OK, the configuration of the server is complete. Now configure the client:

The client here is sending its own log to the host on the remote log server.

To modify the/etc/syslog.conf file:

For example, you just need to modify the following line as long as the logging system logs on to the remote log server:

authpriv.* @192.168.10.100

The 192.168.10.100 here is the log server's IP, and the "@" symbol indicates that it is sent to the remote host.

OK, restart the syslog service:

Linux:/etc/init.d/syslogd Restart

BSD:/etc/rc.d/syslogd Restart

Test with Logger If the configuration is successful:

Logger–p Authpriv.notice "Hello,this is a test"

Go to log server to see, "Hello,this is a test" should have been recorded. Finally log in on the client log on a few times to see if the real Authpriv information is also successfully recorded.

Ii. Logging of Windows logs

For the Unix class host log, because the protocol, software and log Information format, and so the same, so the implementation is relatively simple, but the windows of the System log format, logging software, methods and so on are different. Therefore, we need third-party software to forward the log of Windows to a syslog-type log, which is forwarded to the Syslog server.

Introducing third-party software Evtsys (full name is evntlog to syslog)

File is dozens of k size, very small, after decompression is two files Evtsys.dll and Evtsys.exe

Copy these two files to the C:\Windows\System32 directory.

Open the Windows command prompt (start-and-run input cmd)

C:\>evtsys–i–h 192.168.10.100

-I means installation as a system service

-h Specifies the IP address of the log server

If you want to uninstall Evtsys, then:

net stop Evtsys

Evtsys-u

Start the service:

C:\>net Start Evtsys

Open the Windows Group Policy Editor (start-and-run input gpedit.msc)

In the audit policy, local policies, security settings, Windows Settings, open the Windows logs that you need to log. Evtsys will determine in real time whether there is a new Windows log generation, and then convert the newly generated log into a syslogd recognizable format, sent to the SYSLOGD server via UDP 3072 port.

OK, all configuration Windows side configuration is complete, now configure the syslogd configuration file,

The configuration of the parameters is the same as above, and the difference is that the Evtsys is sent to the SYSLOGD log information as a daemon device. Therefore, it is necessary to include in the/etc/syslog.conf:

Daemon.notice |/var/log/filter_log.sh

Information on syslog recording devices and record levels can be found in the syslog documentation.

OK, all configuration settings are complete.

System logs on Linux, BSD, and windows can be easily managed on a single log server with unified logging.

Linux authentication methods for logging UNIX and Windows logs with Syslog