2. Overview
What is “Centralized Log Server” ?
●
● Why we need Centralized Log Server ?
● Importance of using Centralized Log Server
● Easily of getting logs!
● SPLUNK!!!
● DEMO
4. What is “Centralized Log Server” ?
It is a normal workstation with free RedHat Linux 6
Installed without any additional software installed
It uses basic Linux Knowledge to collect the logs from
all clients through TCP & UDP connections to one
centralized machine
6. Importance of Using C. Log Server
- Collect security logs from all workstations and
servers to one machine
- Monitor the network & respond to attacks
- Show password changes for all users
- Show when ANY workstation reboot or
shutdown
7. Easily of getting logs! “/var/log/”
User “root” changed his password:
Mar 23 14:57:20 localhost passwd: pam_unix(passwd:chauthtok): password
changed for root
Local Authentication Failure:
Mar 23 14:58:46 localhost login: pam_unix(login:auth): authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty3 ruser= rhost= user=root
Poweroff or Reboot:
Mar 22 15:58:01 localhost init: tty (/dev/tty2) main process (1896) killed by
TERM signal
SSH Authentication Failure:
Mar 18 01:13:18 rhel5.vmz sshd[2793]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.2 user=root
8. SPLUNK!!
- Graphical User Interface application to view
system logs
- Free & Open Source project
-Quick Search, saved search, alerting,scheduling,
and dashboard creation
- Make graphical reports