Overview

● What is “Centralized Log Server” ?

● Why we need Centralized Log Server ?

● Importance of using Centralized Log Server

● Easily of getting logs!

● SPLUNK!!!

● DEMO

What is “Centralized Log Server” ?

What is “Centralized Log Server” ?

It is a normal workstation with free RedHat Linux 6 Installed without any additional software installed

It uses basic Linux Knowledge to collect the logs from all clients through TCP & UDP connections to one centralized machine

Why we need Centralized Log Server ?

Importance of Using C. Log Server

- Collect security logs from all workstations and servers to one machine

- Monitor the network & respond to attacks

- Show password changes for all users

- Show when ANY workstation reboot or shutdown

Easily of getting logs! “/var/log/”

User “root” changed his password:Mar 23 14:57:20 localhost passwd: pam_unix(passwd:chauthtok): password changed for root

Local Authentication Failure: Mar 23 14:58:46 localhost login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty3 ruser= rhost= user=root

Poweroff or Reboot:Mar 22 15:58:01 localhost init: tty (/dev/tty2) main process (1896) killed by TERM signal

SSH Authentication Failure:Mar 18 01:13:18 rhel5.vmz sshd[2793]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.2 user=root

SPLUNK!!

- Graphical User Interface application to view system logs

- Free & Open Source project

-Quick Search, saved search, alerting,scheduling, and dashboard creation

- Make graphical reports

Any Questions ?!!

THANK YOU !

By: Mohammed Al­Maraghy

RedHat Certified Engineer

            Twitter: @MohammedMaraghy

Maraghy@fedoraproject.org