Logging-int: Difference between revisions

From Hobbynet Admin Wiki
Jump to navigation Jump to search
VisualWikitext
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 50: Line 50:


Voorbeeld:
Voorbeeld:
  root@logging:/etc/logwatch/scripts/services# cp -a
  root@logging:/etc/logwatch/scripts/services# cp -a /usr/share/logwatch/scripts/services/sshd .
/usr/share/logwatch/scripts/services/sshd .
  root@logging:/etc/logwatch/scripts/services# vi sshd
  root@logging:/etc/logwatch/scripts/services# vi sshd


       ($ThisLine =~ /Disconnected from /) or
       ($ThisLine =~ /Disconnected from /) or
       ($ThisLine =~ /Connection reset by /)
       ($ThisLine =~ /Connection reset by /)
Voorbeeld: onderdruk heel veel regels over scriptkiddies
root@logging:/etc/logwatch/scripts/services# cp -a /usr/share/logwatch/scripts/services/pam_unix .
root@logging:/etc/logwatch/scripts/services# vi pam_unix
      (helemaal onderin het bestand)
    oud:
      foreach my $entry (sort $sort keys %{$data{$service}{$type}}) {
        print "      $entry: $data{$service}{$type}{$entry} Time(s)\n";
      }
    nieuw:
      foreach my $entry (sort $sort keys %{$data{$service}{$type}}) {
        if ($type eq 'Authentication Failures') {
          if ($data{$service}{$type}{$entry} >= 5) {
            print "      $entry: $data{$service}{$type}{$entry} Time(s)\n";
          }
        } else {
          print "      $entry: $data{$service}{$type}{$entry} Time(s)\n";
        }
      }


== ignore.conf ==
== ignore.conf ==
Line 63: Line 84:
<pre>
<pre>
# firewall start stop negeren
# firewall start stop negeren
/=*= Start IPv4 firewall =*=/
Start IPv4 firewall
/=*= Start IPv6 firewall =*=/
Start IPv6 firewall
/=*= Stop IPv4 firewall =*=/
Stop IPv4 firewall
/=*= Stop IPv6 firewall =*=/
Stop IPv6 firewall
# negeer start stop regels van scripts in cron
# negeer start stop regels van scripts in cron
/started on server/
started on server
/finished on server/
finished on server
/stopped on server/
stopped on server
/ended on server/
ended on server
# start en stop van een sessie hoeven niet in logwatch
# start en stop van een sessie hoeven niet in logwatch
/session opened for user/
session opened for user
/session closed for user/
session closed for user
</pre>
</pre>

Latest revision as of 12:10, 4 February 2019

doel

Deze server is onze centrale log server

ip addressen

LET OP: de externe interface (212.72.224.44) heeft 'geen' default gateway! 

/etc/netplan/01-netcfg.yaml
network:
   version: 2
   ethernets:
       enp0s25:
           dhcp6: no
           accept-ra: no
           addresses:
           - 212.72.224.44/24
           nameservers:
               search:
               - hobby.nl
           routes:
           # ns3.hobby.nl
           - to: 149.210.180.15
             via: 212.72.224.1
           # ns4.hobby.nl
           - to: 136.144.202.205
             via: 212.72.224.1
           optional: true
       enp6s0:
           dhcp6: no
           accept-ra: no
           addresses:
           - 172.31.1.27/24
           nameservers:
               addresses: []
               search: []
           routes:
           - to: 172.31.0.0/16
             via: 172.31.1.1
           - to: 192.168.200.0/24
             via: 172.31.1.1
           optional: true

logwatch

Logwatch draait 1 x per dag
En meldt ongebruikelijkheden, over alle logs.

Van alle servers staat alles in 1 log mail, wil je weten van welke het komt dan moet je grep doen

selectief meldingen onderdrukken

De default suppress-scripts staan in /usr/share/logwatch/scripts/services/sshd.
Wil je in zo'n script een aanpassing maken, copieer het relevante bestand dan naar de map '/etc/logwatch/scripts/services', en maak daar dan de gewenste aanpassingen.

Voorbeeld: 

root@logging:/etc/logwatch/scripts/services# cp -a /usr/share/logwatch/scripts/services/sshd .
root@logging:/etc/logwatch/scripts/services# vi sshd

      ($ThisLine =~ /Disconnected from /) or
      ($ThisLine =~ /Connection reset by /)

Voorbeeld: onderdruk heel veel regels over scriptkiddies 

root@logging:/etc/logwatch/scripts/services# cp -a /usr/share/logwatch/scripts/services/pam_unix .
root@logging:/etc/logwatch/scripts/services# vi pam_unix
     (helemaal onderin het bestand)

   oud:
     foreach my $entry (sort $sort keys %{$data{$service}{$type}}) {
       print "      $entry: $data{$service}{$type}{$entry} Time(s)\n";
     }

   nieuw:
     foreach my $entry (sort $sort keys %{$data{$service}{$type}}) {
        if ($type eq 'Authentication Failures') {
          if ($data{$service}{$type}{$entry} >= 5) {
            print "      $entry: $data{$service}{$type}{$entry} Time(s)\n";
          }
        } else {
          print "      $entry: $data{$service}{$type}{$entry} Time(s)\n";
        }
     }

ignore.conf

Je kunt ook op globaal niveau regels wegfilteren. Zo'n regel wordt dan definitief uit alle output gehaald.

Neem in de ignore.conf dingen op die globaal genegeerd mogen worden zoals: 

# firewall start stop negeren
Start IPv4 firewall
Start IPv6 firewall
Stop IPv4 firewall
Stop IPv6 firewall
# negeer start stop regels van scripts in cron
started on server
finished on server
stopped on server
ended on server
# start en stop van een sessie hoeven niet in logwatch
session opened for user
session closed for user
Retrieved from "https://wiki.hobby.nl/index.php?title=Logging-int&oldid=77922"