So. It’s been a few months since I last posted here. I decided that the best way to sharpen my cyber skills would be to start treating my home environment like an enterprise one. In approaching this thought experiment, I thought:
“What key functions would I have in a production, enterprise network that I don’t have here?”
I have an IDS (Snort) but there are some holes:
- Vulnerability scanning
- Log aggregation
- Centralized identity management
- Endpoint protection
In thinking through things, I decided I’ll tackle these one at a time. First things first, let’s get some log aggregation going.
After doing some research, I decided that the open source version of Graylog would be my choice for this function on my pseudo-production network. I thought about running this on my OpenBSD router/firewall, but decided that the stack necessary would just overwhelm the machine. Therefore I spun up a virtual host in my hosting environment of choice (DigitalOcean) and started installing / configuring things.
I decided to run Ubuntu 18.04 LTS for the core OS on the virtual machine and followed this tutorial to get Graylog up and running. Once I had the core server running, I decided to figure out how to get log data pushed to it. Since I want everything I do to be open source, I figured that rSyslog would be my best approach. It appeared to be native (or nearly native) on most of the operating systems I run and integrated nicely with Graylog.
I added a “Syslog UDP” Graylog input on a high numbered port on my server, used UFW to open a hole for the traffic and then started researching the arcane syntax of the /etc/rsyslog.conf file that would be necessary to work this bit of magic and get my log messages pushed to my aggregator. I figured it out in about 30 seconds but thought – “No way. It can’t be that easy!” and dug around for a while until I decided to just try it. Here is the incredibly complex piece of syntax you have to use:
Where the single at sign means to use RDP, the 1234 is the port you are running the Graylog input listener on and “your.graylog-server.example.com” is the FQDN of your Graylog server. No kidding, it’s that easy!
Slug that in as the last line in /etc/rsyslog.conf on a Linux box, restart the rsyslog service:
sudo systemctl restart rsyslog
and you are cooking with gas. I’ve still not cracked the code with OpenBSD, but with all of my other ‘nix boxes, it’s dead simple. Now to tackle Windows (yes, I have a few Windows machines).
For Windows, the common wisdom on the Internet says you should use nxLog for the listener on the Windows box and you should ship the log data over to Graylog as a GELF format. After installing a GELF UDP input listener on Graylog and playing around for a while, I ended up with the following configuration file for nxLog that worked:
Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule> </Extension> <Extension _gelf> Module xm_gelf </Extension> <Input eventlog> Module im_msvistalog </Input> <Output out> Module om_udp Host your.graylog-server.example.com Port 1234 OutputType GELF </Output> <Route 1> Path eventlog => out </Route>
Make sure to put in your FQDN for your Graylog server and the port number you are running your GELF input on.
At this point, I logged into each machine on my network and the log messages started flowing smoothly! Just for fun I set up an email alert capability and set some thresholds on failed root logins for the ‘nix boxes to let me know if anything funky is happening.
Next up – vulnerability scanning!
OpenBSD really isn’t any different than the other *NIXes. Put the same line you use for rsyslog at the bottom of /etc/syslog.conf && rcctl restart syslogd.
I tried that. Even installed rsyslog and still noting coming out from tcpdump.
Maybe something in your pf.conf is blocking it? That’s literally all I did to get OpenBSD logging to splunk (and it worked for Logstash too).
in OpenBSD, you can stick with syslogd that is included in base and add something like this to /etc/syslog.conf
So I’ve done that and yet I’m not seeing any outbound traffic with tcpdump when I use logger to write to the syslog. I know that it isn’t a pf issue because the machines that sit behind this router can write to graylog just fine. Any thoughts?
Thaanks for writing this