TP 02: setting up a logging system under linux

Objective:
Preparing the environment:
1. Install 3 named virtual machines on a virtualization environment: syslog server and
SRV 1
2. On gns3, install:
a. 1 core switch (SW-DC)
b. 2 switches (SW-ACC1) and (SW-ACC2)
3. Import VMs to gns3
4. Perform the following topology on gns3.

5. On the 3 machines, configure the following IPs:

• Syslog server: 192.168.10.250
• SRV 1: 192.168.10.1
• Switch SW-DC : 192.168.10.50
• Switch SW-ACC1 : 192.168.10.51
• Switch SW-ACC2 : 192.168.10.52
Exercise 01: Initial Syslog Service Analysis
On the syslog server:
1. Verify that the rsyslog service is installed
2. Start the rsyslog service
3. Open the /etc/rsyslog.conf configuration file and parse the contents
4. From this, deduce the categories of the logs from the configuration file.
Exercise 02: Configuring the Syslog Service
Q1: Configuring the Syslog Service on Client Machines
The following questions are run directly on the SRV 1 server.
1. Start the rsyslog service
2. Configure servers as Syslog clients and direct logs to the Syslog server

3. For security reasons, change the default port to 10514

4. To limit the overhead on the server:
i) Configure the sending of daemon category logs from the error severity level (3)
stored in a file named /var/log/daemon.log
ii) Assuming that the SRV1 server offers SSH service, configure the sending of auth
and authpriv logs stored in /var/log/auth_critique.log for critical level logs (2)
/var/log/auth_pas_critique.log for the rest.
Q2: Configuring the Syslog service on network devices
The following questions are run directly on the switches (SW-DC), (SW-ACC1), and (SW-ACC2).
1. Enable syslog service : logging on
2. Configure the sending of logs to the syslog server: logging host IP
3. Configure log trap warning
logging host IP transport udp port Nport

Q3: Configuring the Syslog Service on the Syslog Server

The following questions are executed directly on the syslog server.
1. Enable log collection on port 10514
2. Allow traffic listened to on the 10514 on the server firewall
Exercise 03: Customizing Logs in the Syslog Server
By default, the syslog server stores all logs from client machines according to their facilities.
In a more complex and large environment, it is difficult to distinguish between the different
logs. To do this:
1. Configure the storage of logs generated by the critical level Syslog server (and above)
in a file named /var/log/local/critique.log, the rest of the logs are stored in
/var/log/local/pas_critique.log
2. Using a Template, configure the storage of logs received by client machines in files of
the following format:
/var/log/clients/IP_client/facilité.log
Exercise 04: Testing and verification
1. Using wireshark on the server, capture, analyze and confirm the receipt of logs from
the different machines
 2. From the Syslog server, connect by SSH to the SRV 1 server with non-existent
credentials (wrong password) and check that the test has been uploaded to the
server
3. On the switches, disconnect one of the cables from the interconnections and check
that the alert has been reported to the server
Exercise 05 (Bonus): Viewing the logs
Create an intuitive web interface to view all the logs collected and generated by the Syslog
server.