Intro to Logs

Question 3: Based on the list of log types in this task, what log type is used by the log file specified in the note from Task 2?

Question 4: Based on the list of log formats in this task, what log format is used by the log file specified in the note from Task 2?

Question 5: After configuring rsyslog for sshd, what username repeatedly appears in the sshd logs at /var/log/websrv-02/rsyslog_sshd.log, indicating failed login attempts or brute forcing?

1. Check if rsyslog is installed by running the command: sudo systemctl status rsyslog

2. Create a new rsyslog configuration file for sshd: nano /etc/rsyslog.d/98-websrv-02-sshd.conf

3. Add the following lines to the configuration file:

$FileCreateMode 0644

:programname, isequal, "sshd" /var/log/websrv-02/rsyslog_sshd.log

4. Save and close the configuration file.

5. Apply the changes by restarting rsyslog: sudo systemctl restart rsyslog

6. To view the contents of the sshd logs, use the cat command: cat /var/log/websrv-02/rsyslog_sshd.log

7. Look for the username that repeatedly appears in the logs, indicating failed login attempts or brute forcing.

Question 6: What is the IP address of SIEM-02 based on the rsyslog configuration file /etc/rsyslog.d/99-websrv-02-cron.conf, which is used to monitor cron messages?

1. Use the cd command to navigate to the rsyslog configuration directory: cd /etc/rsyslog.d/

2. To view the contents of the 99-websrv-02-cron.conf file, use the cat command: cat 99-websrv-02-cron.conf

3. Look for the IP address of SIEM-02 within the contents of the 99-websrv-02-cron.conf file, which is used to monitor cron messages.

Question 7: Based on the generated logs in /var/log/websrv-02/rsyslog_cron.log, what command is being executed by the root user?

1. Navigate to the directory containing the logs using the cd command: cd /var/log/websrv-02/

2. To view the contents of the rsyslog_cron.log file, use the cat command: cat rsyslog_cron.log

3. Examine the logs to identify the command being executed by the root user.

Question 8: Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, how many versions of old compressed log file copies will be kept?

Question 9: Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, what is the log rotation frequency?

1. Use the cd command to navigate to the logrotate configuration directory: cd /etc/logrotate.d/.

2. To view the contents of the 99-websrv-02_cron.conf file, use the cat command: cat 99-websrv-02_cron.conf

3. Look for the configuration option that specifies how many versions of old compressed log file copies will be kept.

Question 10: Upon accessing the log viewer URL for unparsed raw log files, what error does "/var/log/websrv-02/rsyslog_cron.log" show when selecting different filters?

• Access the log viewer URL for unparsed raw log files.

• Navigate to the option to add data or logs.

• Select the file /var/log/websrv-02/rsyslog_cron.log

• Apply different filters or views within the log viewer and observe the error message displayed for the selected filters.

Question 11: What is the process of standardizing parsed data into a more easily readable and queryable format?

Question 12: What is the process of consolidating normalized logs to enhance the analysis of activities related to a specific IP address?

As we conclude this journey, remember that every log is a piece of the puzzle in the ongoing quest to secure our digital realm. Stay curious, stay vigilant, and continue to explore the ever-evolving landscape of cybersecurity.