By: Mikhael Hamoy, Mark Lee, Mohammad Hossain SEC625SBB Assignment 2 Report First we checked to see if rSyslog was already installed on our LAMP server by doing “yum install rsyslog” Next we checked the status of rSyslog to see if it was running by doing “systemctl status rsyslog.service”. Since we did not have access to the root password, systemctl did not work so we had to find an alternative. We did “service rsyslog status” to see that it was set to active (running). Next we configured the rsyslog.conf file by doing “vi /etc/rsyslog.conf” and configured rsyslog to send all logs/messages to the Graylog Server via port 5014 or whatever port it was listening on. We added “*.*@10.40.103.47:5014” underneath the begin forwarding rule. Then we restarted the rSyslog service by doing “systemctl restart rsyslog.service” so the changes take effect. Next we checked to make sure the rSyslog was listening on port 5014 by doing “netstat –antup | grep 5014” Next we logged into our Graylog Server on our host machine by connecting to “10.40.103.47:9000” in the URL bar. By: Mikhael Hamoy, Mark Lee, Mohammad Hossain SEC625SBB After successfully connecting to your Graylog server you will see a popup screen to put in your Web Login credentials. The login credentials for us was “admin:CPF9mr7h” Next we went to System > Input > and Select Syslog UDP > Click launch new input By: Mikhael Hamoy, Mark Lee, Mohammad Hossain SEC625SBB We changed the bind address to “0.0.0.0” and the port to “5014” and used this input to collect logs through rsyslog @ Syslog UDP. After that we tried to SSH via Putty with wrong password and rsyslog should send all logs to the Graylog server about it. By: Mikhael Hamoy, Mark Lee, Mohammad Hossain SEC625SBB Next we added another Input called “GELF TCP” to log configure sending syslog data from our Windows Server 2012. We checked to make sure port 12201 was listening by doing “netstat –an | grep 12201” After that we went on our Windows Server and downloaded Nxlog from https://nxlog.co/products/nxlog-community-edition/download and installed it. The Nxlog configuration file is located at “C:\Program Files (x86)\nxlog\conf\nxlog.conf” By: Mikhael Hamoy, Mark Lee, Mohammad Hossain SEC625SBB We changed the configuration files to add: <Extension gelf> Module xm_gelf </Extension> Host: IP of rsyslog server (Graylog Server) Port 12201 OutputType GELP_TCP After saving the configuration file we restarted the nxlog service so it would take effect. By: Mikhael Hamoy, Mark Lee, Mohammad Hossain SEC625SBB After that we started to make some Event Logs by doing it through the command line. You can see the Event Logs you have created on Event Viewer on your Windows Server by clicking Windows Logs > Application. After that we went to our Graylog Server and refreshed the Windows Server input and finally got logs. By: Mikhael Hamoy, Mark Lee, Mohammad Hossain SEC625SBB Here is a picture of your Inputs running. Next we configured the rSyslog configuration file so it can push logs from Linux to the Graylog server. We went to “vi /etc/rsyslog.conf” file again and added this line. After that we saved the file and restarted the service. If it gave us an error we went back and checked to make sure everything was correct and free of error. By: Mikhael Hamoy, Mark Lee, Mohammad Hossain Here is the IP Address of our LAMP Server. Here is our rSyslog configuration file. SEC625SBB By: Mikhael Hamoy, Mark Lee, Mohammad Hossain Here is our IP Address of our Graylog Server. Here are our logs from rsyslog – lamp – graylog server. SEC625SBB By: Mikhael Hamoy, Mark Lee, Mohammad Hossain Here is our Windows Server IP Address. SEC625SBB
