Always being aware of what’s happening on your organization’s systems is key to having a successful security strategy. One thing that helps immensely with this kind of visibility is using syslog. Syslog is supported by all enterprise hardware and all Linux OS’s. You can send messages from your firewall and servers to a centralized logging server for long term storage and analysis. SIM tools like Splunk and LogRhythm are great ways to visualize and organize the data. In this post, we’ll go a step further and demonstrate how to log all user commands in syslog for increased situational awareness.
In today’s example, I’ll use rsyslog on Fedora 28 and Raspbian. Lets dive in!
Syslog server setup
The first step is to see if everything is installed. Use rpm -q rsyslog to see if it is installed. Otherwise, install with dnf install rsyslog:
Next, edit /etc/rsyslog.conf and uncomment the two lines below:
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
|
You can also uncomment the TCP section right below those if you’d like to receive syslog over TCP:
Next, add configuration directives on where to store logs that are received to the bottom of the file. It’s best practice to store these on their own slice of disk to prevent filling up a partition and making the server unresponsive. To store these files, I use /data/logs:
$template TmplAuth, "/data/logs/HOSTS/%fromhost%/%PROGRAMNAME%.log" $template TmplMsg, "/data/logs/HOSTS/%fromhost%/%PROGRAMNAME%.log" authpriv.* ?TmplAuth *.info,mail.none,authpriv.none,cron.none ?TmplMsg
|
Save your changes and exit. Be make sure the destination directory exists, mkdir -p /data/logs, and then restart rsyslog, systemctl restart rsyslog:
Before you start receiving messages from remote hosts, ensure your firewall rules allow in 514 on UDP/TCP:
Syslog client setup
Configuration on remote machines is much simpler. Simply edit /etc/rsyslog.conf and add this line to the bottom:
*.* @192.168.1.10:514
|
Restart rsyslog with systemctl restart rsyslog.
At this point, logs should be going to your syslog server. However, we can do more. Say you have a production machine that users connect to, including support staff, and you need to track what your users are doing. You can update the bashrc so every command is logged to your remote syslog server.
Edit /etc/bashrc and add this line to the file:
export PROMPT_COMMAND='logger "$(whoami) : $(history 1 | cut -d" " -f 5-)"'
|
What exactly does this do? Bash has a built in environment variable called “PROMPT_COMMAND”. This gets executed before the prompt is displayed. Each time a user runs a command, a message is sent to the syslog process using logger which is stored in a file called username.log:
If we look on the syslog server, we’ll see that all of the commands the user has run have been recorded:
I hope this post helps you set up a centralized log server in your environment. Adding this increase situational awareness will greatly improve your overall security. If you’re researching an outage or a hack, this can be especially useful. As always, if you have any questions feel free to reach out: support@automox.com.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.