Adding OpenSSH server logs to Splunk

By default, in most Linux distros, OpenVPN log output goes to the authlog, which is usually at /var/log/auth.log, as such it is trivial to add them to Splunk monitoring:

Splunk:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/auth.log -index main -sourcetype OpenSSH

Splunk (manual):
sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf


[monitor:///var/log/auth.log]
disabled = false
index = main
sourcetype = OpenSSH

REFERENCES:

Adding OpenVPN logs to Splunk on Ubuntu

By default, in most Linux distros, OpenVPN log output goes to the syslog, which is usually at /var/log/syslog. However, your config files can set the logfile location explicitly, as shown below:

  1. sudo vi /etc/openvpn/server.conf
  2. Change or add:
    log-append /var/log/openvpn.log
  3. Restart to use the new config:
    sudo service openvpn restart
  4. Add to Splunk forwarder:
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/openvpn.log -index main -sourcetype OpenVPN

    Splunk (manual):
    sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf

    [monitor:///var/log/openvpn.log]
    disabled = false
    index = main
    sourcetype = OpenVPN

REFERENCES:

Install Splunk on Ubuntu

Splunk is a popular enterprise level tool for log collection, analysis and management. While you can obtain an enterprise license, most functions are available in the free community edition.

Setup is very easy:

  1. Download and move the .tar.gz file to the appropriate server (i386 vs. amd64)
  2. sudo dpkg -i splunk*.deb
  3. Start the server:

    sudo /opt/splunk/bin/splunk start

    The first time you run after installation or update you will have to accept terms.

  4. Access the admin screen:

    http://HOSTNAME:8000

    login (admin/changeme)
    change password

  5. Go to Settings/Forwarding * Receiving
    – add new (port 9997)
  6. Open firewall port (if enabled):

    sudo ufw allow 8000
  7. Now to start as a service…

    sudo /opt/splunk/bin/splunk enable boot-start

Competitors:

REFERENCES

Install Splunk Universal Forwarder on Ubuntu

After a while it can get tedious to access and review server logs via the command line. There are several tools available that can provide the same information in a graphical manner. Recently I’ve migrated to Splunk as there are both Enterprise and Free versions available.

  1. Of course, you’ll need a Splunk server installed first, as the forwarder is really just another (lighter) instance that will forward the log information to a central location.
  2. Download the system appropriate installer from:
    http://www.splunk.com/download/universalforwarder
  3. Check to see if you are running 32 or 64 bit OS.uname -aIf you see i686 you are 32 bit, if x86_64 you are 64 bit!
  4. Download, you’ll likely need a different version:sudo dpkg -i splunkforwarder-6.1.3-220630-linux-2.6-intel.deb
    or
    sudo dpkg -i splunkforwarder-6.1.3-220630-linux-2.6-amd64.deb
  5. Enable auto-start on reboot:cd /opt/splunkforwarder/bin/

sudo ./splunk enable boot-start

  1. Start the server:sudo service splunk start
  2. Set the password:

    The default ‘admin‘ password is ‘changeme‘ so we need to change it immediately to do anything else, or we will see errors in future steps.

    sudo /opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme

  3. Set the server:sudo /opt/splunkforwarder/bin/splunk add forward-server YOUR_SERVER_ADDRESS:9997

    NOTE: if you get prompted for a splunk username/password you likely skipped the above step. Remember – the forwarder is a new ‘light’ installation of the server and as such has it’s own users!

  4. Enable some monitors on the box:Some common services and log locations to get you started…
    Apache2 HTTPd
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/apache2 -index main -sourcetype Apache2
    Tomcat7
    sudo /opt/splunkforwarder/bin/splunk add monitor /opt/tomcat7/logs -index main -sourcetype Tomcat7
    MySQL
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mysql -index main -sourcetype MySQL
    Postfix (SMTP)
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mail.log -index main -sourcetype Postfix
    Squid3 (Proxy) 
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/squid/access.log -index main -sourcetype Squid3
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/squid/cache.log -index main -sourcetype Squid3

    SonarQube
    sudo /opt/splunkforwarder/bin/splunk add monitor /opt/sonar/logs -index main -sourcetype Sonar
  5. (OPTIONAL) Verify configuration by opening file at the following:sudo su
    vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf
    exit
  6. You now should be able to log into your server and see new data flowing from the forwarder.

    NOTE: this requires you to enable ‘receiving’ of data on the port specified above, usually 9997.

REFERENCES:

WinCVS/CVSNT

CVS (Concurrent Versioning System) was once the leader in the version/revision control space. Unfortunately, it has been neglected for years and most application developers have moved to different systems such as Subversion(SVN) or Git.

March Hare took ownership of the CVS code and made the last few releases available for free on Windows as CVSNT, however their software will make prompts to purchase a supported copy and add messages to commit logging.

Committed on the Free edition of March Hare Software CVSNT Client.
Upgrade to CVS Suite for more features and support:
http://march-hare.com/cvsnt/

While I openly support development of software such as CVS, these dialog messages and commit logs are often annoying. To remove them on Windows, a simple registry change must be made:

One or both of these may exist on your system, change value to ‘yes’.
HKLM/Software/cvsnt/PServer, "HaveBoughtSuite"="yes"
HKLM/Software/CVS/PServer, "HaveBoughtSuite"="yes"

REFERENCES:

Disable Cisco NAC Agent logging

I recently had to use a Windows computer with Cisco NAC installed, and found that there was a lot of disk activity for logging.

These files would grow to approximately 5MB before rotation.

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco NAC Agent\logs\NACAgentLogCurrent.log
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco NAC Agent\logs\NACAgentLogOld.log

To reduce this overhead (when no problems exist), the config file is exposed in XML.

  1. Open C:\Program Files\Cisco\Cisco NAC Agent\NACAgentCFG.xml
  2. Add/modify the LogFileSize attribute to 0 (zero) as shown below:

    <?xml version="1.0" ?>
    <cfg>
    <DiscoveryHost></DiscoveryHost>
    <LogFileSize>0</LogFileSize><!-- default 5 -->
    </cfg>
  3. Reboot
  4. Remove the old .log files

NOTE: if you ever have networking issues and require support, you will need to restore the default value to ‘5’.

REFERENCES: