Logging-int: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 2: | Line 2: | ||
Deze server is onze centrale log server | Deze server is onze centrale log server | ||
= ip addressen = | = ip addressen = | ||
LET OP: de externe interface (212.72.224.44) heeft 'geen' default gateway! | |||
/etc/netplan/01-netcfg.yaml | |||
network: | |||
version: 2 | |||
ethernets: | |||
enp0s25: | |||
dhcp6: no | |||
accept-ra: no | |||
addresses: | |||
- 212.72.224.44/24 | |||
# | nameservers: | ||
search: | |||
- hobby.nl | |||
routes: | |||
# ns3.hobby.nl | |||
- to: 149.210.180.15 | |||
via: 212.72.224.1 | |||
# ns4.hobby.nl | |||
- to: 136.144.202.205 | |||
via: 212.72.224.1 | |||
optional: true | |||
enp6s0: | |||
dhcp6: no | |||
accept-ra: no | |||
addresses: | |||
- 172.31.1.27/24 | |||
nameservers: | |||
addresses: [] | |||
search: [] | |||
routes: | |||
- to: 172.31.0.0/16 | |||
via: 172.31.1.1 | |||
- to: 192.168.200.0/24 | |||
via: 172.31.1.1 | |||
optional: true | |||
= logwatch = | |||
Logwatch draait 1 x per dag<br> | |||
En meldt ongebruikelijkheden, over alle logs.<br> | |||
<br> | |||
Van alle servers staat alles in 1 log mail, wil je weten van welke het komt dan moet je grep doen | |||
== selectief meldingen onderdrukken == | |||
De default suppress-scripts staan in /usr/share/logwatch/scripts/services/sshd.<br> | |||
Wil je in zo'n script een aanpassing maken, copieer het relevante bestand dan naar de map '/etc/logwatch/scripts/services', en maak daar dan de gewenste aanpassingen. | |||
Voorbeeld: | |||
root@logging:/etc/logwatch/scripts/services# cp -a /usr/share/logwatch/scripts/services/sshd . | |||
root@logging:/etc/logwatch/scripts/services# vi sshd | |||
($ThisLine =~ /Disconnected from /) or | |||
($ThisLine =~ /Connection reset by /) | |||
Voorbeeld: onderdruk heel veel regels over scriptkiddies | |||
# | root@logging:/etc/logwatch/scripts/services# cp -a /usr/share/logwatch/scripts/services/pam_unix . | ||
# | root@logging:/etc/logwatch/scripts/services# vi pam_unix | ||
(helemaal onderin het bestand) | |||
oud: | |||
foreach my $entry (sort $sort keys %{$data{$service}{$type}}) { | |||
print " $entry: $data{$service}{$type}{$entry} Time(s)\n"; | |||
} | |||
nieuw: | |||
foreach my $entry (sort $sort keys %{$data{$service}{$type}}) { | |||
if ($type eq 'Authentication Failures') { | |||
if ($data{$service}{$type}{$entry} >= 5) { | |||
print " $entry: $data{$service}{$type}{$entry} Time(s)\n"; | |||
} | |||
} else { | |||
print " $entry: $data{$service}{$type}{$entry} Time(s)\n"; | |||
} | |||
} | |||
== ignore.conf == | == ignore.conf == | ||
Je kunt ook op globaal niveau regels wegfilteren. Zo'n regel wordt dan definitief uit alle output gehaald. | |||
Neem in de ignore.conf dingen op die globaal genegeerd mogen worden zoals: | |||
<pre> | <pre> | ||
# firewall start stop negeren | # firewall start stop negeren | ||
Start IPv4 firewall | |||
Start IPv6 firewall | |||
Stop IPv4 firewall | |||
Stop IPv6 firewall | |||
# | # negeer start stop regels van scripts in cron | ||
started on server | started on server | ||
finished on server | finished on server | ||
stopped on server | |||
ended on server | ended on server | ||
# start en stop van sessie hoeven niet in | # start en stop van een sessie hoeven niet in logwatch | ||
session opened for user | session opened for user | ||
session closed for user | session closed for user | ||
</pre> | </pre> | ||
Latest revision as of 12:10, 4 February 2019
doel
Deze server is onze centrale log server
ip addressen
LET OP: de externe interface (212.72.224.44) heeft 'geen' default gateway!
/etc/netplan/01-netcfg.yaml
network:
version: 2
ethernets:
enp0s25:
dhcp6: no
accept-ra: no
addresses:
- 212.72.224.44/24
nameservers:
search:
- hobby.nl
routes:
# ns3.hobby.nl
- to: 149.210.180.15
via: 212.72.224.1
# ns4.hobby.nl
- to: 136.144.202.205
via: 212.72.224.1
optional: true
enp6s0:
dhcp6: no
accept-ra: no
addresses:
- 172.31.1.27/24
nameservers:
addresses: []
search: []
routes:
- to: 172.31.0.0/16
via: 172.31.1.1
- to: 192.168.200.0/24
via: 172.31.1.1
optional: true
logwatch
Logwatch draait 1 x per dag
En meldt ongebruikelijkheden, over alle logs.
Van alle servers staat alles in 1 log mail, wil je weten van welke het komt dan moet je grep doen
selectief meldingen onderdrukken
De default suppress-scripts staan in /usr/share/logwatch/scripts/services/sshd.
Wil je in zo'n script een aanpassing maken, copieer het relevante bestand dan naar de map '/etc/logwatch/scripts/services', en maak daar dan de gewenste aanpassingen.
Voorbeeld:
root@logging:/etc/logwatch/scripts/services# cp -a /usr/share/logwatch/scripts/services/sshd . root@logging:/etc/logwatch/scripts/services# vi sshd
($ThisLine =~ /Disconnected from /) or
($ThisLine =~ /Connection reset by /)
Voorbeeld: onderdruk heel veel regels over scriptkiddies
root@logging:/etc/logwatch/scripts/services# cp -a /usr/share/logwatch/scripts/services/pam_unix .
root@logging:/etc/logwatch/scripts/services# vi pam_unix
(helemaal onderin het bestand)
oud:
foreach my $entry (sort $sort keys %{$data{$service}{$type}}) {
print " $entry: $data{$service}{$type}{$entry} Time(s)\n";
}
nieuw:
foreach my $entry (sort $sort keys %{$data{$service}{$type}}) {
if ($type eq 'Authentication Failures') {
if ($data{$service}{$type}{$entry} >= 5) {
print " $entry: $data{$service}{$type}{$entry} Time(s)\n";
}
} else {
print " $entry: $data{$service}{$type}{$entry} Time(s)\n";
}
}
ignore.conf
Je kunt ook op globaal niveau regels wegfilteren. Zo'n regel wordt dan definitief uit alle output gehaald.
Neem in de ignore.conf dingen op die globaal genegeerd mogen worden zoals:
# firewall start stop negeren Start IPv4 firewall Start IPv6 firewall Stop IPv4 firewall Stop IPv6 firewall # negeer start stop regels van scripts in cron started on server finished on server stopped on server ended on server # start en stop van een sessie hoeven niet in logwatch session opened for user session closed for user