日志审计
安恒日志审计为例
很多单位都需日志审计功能,因此Linux系统要配置syslg功能,Windows要配置agent,实现对操作系统的日志审计。
- Linux配置syslog进行日志审计
配置路径:/etc/rsyslog.conf
在配置文件最后一行增加一条命令:* . *@IP地址:514
配置完成后需要重启rsyslog服务们就可以在日志审计页面查看到对应的系统。
[root@localhost ~]# vim /etc/rsyslog.conf
1 # rsyslog configuration file
2
3 # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
4 # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
5
6 #### MODULES ####
7
8 # The imjournal module bellow is now used as a message source instead of imuxsock.
9 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
10 $ModLoad imjournal # provides access to the systemd journal
11 #$ModLoad imklog # reads kernel messages (the same are read from journald)
12 #$ModLoad immark # provides --MARK-- message capability
13
14 # Provides UDP syslog reception
15 #$ModLoad imudp
16 #$UDPServerRun 514
17
18 # Provides TCP syslog reception
19 #$ModLoad imtcp
20 #$InputTCPServerRun 514
21
22
23 #### GLOBAL DIRECTIVES ####
24
25 # Where to place auxiliary files
26 $WorkDirectory /var/lib/rsyslog
27
28 # Use default timestamp format
29 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
30
31 # File syncing capability is disabled by default. This feature is usually not required,
32 # not useful and an extreme performance hit
33 #$ActionFileEnableSync on
34
35 # Include all config files in /etc/rsyslog.d/
36 $IncludeConfig /etc/rsyslog.d/*.conf
37
38 # Turn off message reception via local log socket;
39 # local messages are retrieved through imjournal now.
40 $OmitLocalLogging on
41
42 # File to store the position in the journal
43 $IMJournalStateFile imjournal.state
44
45
46 #### RULES ####
47
48 # Log all kernel messages to the console.
49 # Logging much else clutters up the screen.
50 #kern.* /dev/console
51
52 # Log anything (except mail) of level info or higher.
53 # Don't log private authentication messages!
54 *.info;mail.none;authpriv.none;cron.none /var/log/messages
55
56 # The authpriv file has restricted access.
57 authpriv.* /var/log/secure
58
59 # Log all the mail messages in one place.
60 mail.* -/var/log/maillog
61
62
63 # Log cron stuff
64 cron.* /var/log/cron
65
66 # Everybody gets emergency messages
67 *.emerg :omusrmsg:*
68
69 # Save news errors of level crit and higher in a special file.
70 uucp,news.crit /var/log/spooler
71
72 # Save boot messages also to boot.log
73 local7.* /var/log/boot.log
74
75
76 # ### begin forwarding rule ###
77 # The statement between the begin ... end define a SINGLE forwarding
78 # rule. They belong together, do NOT split them. If you create multiple
79 # forwarding rules, duplicate the whole block!
80 # Remote Logging (we use TCP for reliable delivery)
81 #
82 # An on-disk queue is created for this action. If the remote host is
83 # down, messages are spooled to disk and sent when it is up again.
84 #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
85 #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
86 #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
87 #$ActionQueueType LinkedList # run asynchronously
88 #$ActionResumeRetryCount -1 # infinite retries if host is down
89 # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
90 #*.* @@remote-host:514
91 # ### end of the forwarding rule ###
92 *.*@IP:514 #这里IP填写你日志审计的地址
- Windows需要安装agent
安装包解压后有两个文件分别nxlog.conf和nxlog-ce-2.10.2150.msi。
执行*.msi后按照默认安装,安装完成后需要。
替换文件路径是C:\Program Files (x86)\nxlog\conf 。
修改刚刚替换的conf文件。在 < Output out > 中的内容更改为日志审计服务器地址
修改完成后要nxlog-ce程序服务重启 在控制面板->管理工具–>服务中,找到nxlog服
务,点击右键启动nxlog服务注意:若修改过nxlog.conf,需要在重启nxlog服务使配置生效
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
#define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log
#<Extension fileop>
#Module xm_fileop
## Check the size of our log file every hour and rotate if it is larger than 1Mb
#<Schedule>
#Every 1 hour
#Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 2);
#</Schedule>
## Rotate our log file every week on sunday at midnight
#<Schedule>
#When @weekly
#Exec file_cycle('%LOGFILE%', 2);
#</Schedule>
#</Extension>
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="System">*</Select>
</Query>
<Query Id="1">
<Select Path="Security">*</Select>
</Query>
<Query Id="2">
<Select Path="Application">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
$raw_event = "0|EventlogType=" +$Channel +
"|DetectTime=" +$EventTime +
"|EventSource=" +$SourceName +
"|EventID=" +$EventID +
"|EventType=" +$EventType +
"|EventCategory="+$Task +
"|User=" +$AccountName+
"|ComputerName=" +$Hostname +
"|Description=" +$Message;
</Exec>
# Exec log_info("raw event is: " + $raw_event);
</Input>
<Input in2>
Module im_file
File 'C:\Program Files (x86)\Tencent\RTXServer\Logs\Security\*'
SavePos TRUE
ReadFromLast TRUE
#Exec $raw_event = 'DbAppSOCAgent get log from "abc" ' + $raw_event;
#Exec log_info("raw event 2 is: " + $raw_event);
</Input>
#<Input in3>
#Module im_file
#File 'C:\Program Files\Microsoft SQL Server\110\Setup Bootstrap\Log\20151217_130836\\*.log'
#SavePos TRUE
#ReadFromLast TRUE
#Exec $raw_event = 'DbAppSOCAgent get log from "sqlserver" ' + $raw_event;
#Exec log_info("raw event 3 is: " + $raw_event);
#</Input>
<Output out>
Module om_udp
Host 172.16.100.20 #这里填写日志审计的地址
Port 514
</Output>
<Route udp1>
# Path eventlog,in2,in3 => out
Path eventlog,in2 => out
</Route>