System logs are vital for tracking system activities, diagnosing issues, and identifying potential security incidents. This project will guide you through a system log assessment, focusing on analyzing logs to detect suspicious activities. You will use various tools to collect, analyze, and interpret log data.
- Basic understanding of system logging concepts (log files, log levels, etc.)
- Familiarity with the Linux command line
- A computer with a Linux operating system (preferably Ubuntu)
- Internet connection to download necessary tools
- Lab Environment: A single Linux machine with sudo access.
- Tools:
- Rsyslog
- Logwatch
- Logrotate
- Splunk
- ELK Stack (Elasticsearch, Logstash, Kibana)
Objective: Configure Rsyslog for centralized logging and ensure logs are collected in a centralized location.
Steps:
-
Install Rsyslog:
sudo apt-get update sudo apt-get install rsyslog
-
Configure Rsyslog:
- Edit
/etc/rsyslog.conf
to enable centralized logging. - Add the following lines to forward logs to a remote log server:
*.* @192.168.1.100:514
- Replace
192.168.1.100
with the IP address of your remote log server.
- Replace
- Edit
-
Restart Rsyslog:
sudo systemctl restart rsyslog
Expected Output:
- Logs should be forwarded to the specified remote log server.
Objective: Use Logwatch to generate daily reports from system logs.
Steps:
-
Install Logwatch:
sudo apt-get install logwatch
-
Generate a Log Report:
sudo logwatch --detail high --logfile /var/log/syslog --range today --service all --print
Expected Output:
- Detailed log report summarizing system activities for the day.
Objective: Use Logrotate to manage and rotate log files to prevent them from growing indefinitely.
Steps:
-
Configure Logrotate:
- Edit or create a configuration file for your logs, e.g.,
/etc/logrotate.d/custom_logs
:/var/log/custom_log { daily rotate 7 compress missingok notifempty create 0640 root utmp }
- Edit or create a configuration file for your logs, e.g.,
-
Test Logrotate Configuration:
sudo logrotate -d /etc/logrotate.d/custom_logs
Expected Output:
- Log files should be rotated daily, with the last 7 days retained, and compressed to save space.
Objective: Use Splunk to collect, index, and monitor system logs in real-time.
Steps:
-
Install Splunk:
wget -O splunk-8.0.5-152fb4b2bb96-Linux-x86_64.deb "https://www.splunk.com/page/download_track?file=8.0.5/linux/splunk-8.0.5-152fb4b2bb96-Linux-x86_64.deb" sudo dpkg -i splunk-8.0.5-152fb4b2bb96-Linux-x86_64.deb
-
Start Splunk:
sudo /opt/splunk/bin/splunk start --accept-license sudo /opt/splunk/bin/splunk enable boot-start
-
Add Data Sources:
- Access Splunk web interface at
http://localhost:8000
. - Add
/var/log
directory as a data source to monitor system logs.
- Access Splunk web interface at
Expected Output:
- Real-time log monitoring dashboard in Splunk showing collected logs.
Objective: Use the ELK Stack (Elasticsearch, Logstash, Kibana) to collect, process, and visualize log data.
Steps:
-
Install Elasticsearch:
sudo apt-get install elasticsearch sudo systemctl start elasticsearch sudo systemctl enable elasticsearch
-
Install Logstash:
sudo apt-get install logstash
-
Configure Logstash:
- Create a configuration file
/etc/logstash/conf.d/logstash.conf
:input { file { path => "/var/log/syslog" start_position => "beginning" } } output { elasticsearch { hosts => ["localhost:9200"] index => "syslog" } }
- Create a configuration file
-
Start Logstash:
sudo systemctl start logstash sudo systemctl enable logstash
-
Install Kibana:
sudo apt-get install kibana sudo systemctl start kibana sudo systemctl enable kibana
-
Access Kibana:
- Open a browser and navigate to
http://localhost:5601
. - Configure Kibana to use the
syslog
index and create visualizations.
- Open a browser and navigate to
Expected Output:
- Interactive dashboards in Kibana displaying log data from Elasticsearch.
By completing these exercises, you have learned how to collect, analyze, and interpret system logs using various tools. These skills are essential for detecting and responding to potential security incidents in your system.