QUESTIONS (40%) [1] Why do we need log server? [2] What port is needed to open o

Question

QUESTIONS (40%)

[1] Why do we need log server?

[2] What port is needed to open on syslog server?

[3] Why do you replace “-m 0” to “-rm 0” as following? Replace the line SYSLOGD_OPTIONS=”-m 0” with SYSLOGD_OPTIONS=”-r -m 0”

[4] Why following firewall rule is important on syslog server? i

ptables -I RH-Firewall-1-INPUT -p udp -i eth0 -s 172.16.1.0/24 -d 172.16.1.8 --dport 514 -j ACCEPT

[5] Explain above firewall rule?

[6] How to save current firewall rule sets?

[7] How to make your syslog server become web-based so that you can check syslog from anywhere with secure manner?

Explanation / Answer

A server log is a log file which is automatically created and maintained by the server which contains list of activities it performs.

Example: A web server log which maintains history of page requests.

[1] Server log analytics is used as an alternative method for tracking websites users, if JavaScript tracking method isn’t feasible or if strict security policies are needed to compile.

[2] Syslog implements a client server application structure where the server listens on a well-known or registered port for protocol requests from clients. The most common transport layer protocol for network logging is user datagram protocol (UDP) with server listening on port number 514 and for TCP, the port number is 6514.

[3]Syslog will not listen for remote messages unless the SYSLOGD_OPTIONS variable in the file has a –r included in it as shown below:

# -m 0 disables ‘MARK’ messages.

# -r enables logging from remote machines.

[4] This rule tells the firewall what are the constraints to be applied and in which order, which connection protocol is used, to accepts the packets only from specified source and send those packets to the destination address via port number.

[5] –I: insert a rule. It takes 2 options, the rule to be inserted and the rule number in the chain.

-p: The connection protocol used.

-i: Only match if the packet is coming on the specified interface.

-s: Source address

-d: destination address

-ddport: the destination port(s) required for the rule. A single port or a range of ports can be given from start:end which will match all ports from start to end.

-j ACCEPT: jump to specified target and accept the input.

Insert a firewall rule and make it as a first rule in the protocol UDP and only match if the packet is coming from specified interface from the source 172.16.1.0/2 to destination address 172.16.1.8 through port 514, accept the packet.

[6] Save firewall rules to file by using the below command (In Ubuntu):

   sudo sh -c "iptables-save > /etc/iptables.rules"

[7] There are many front end tools available for syslog server to become web based so that syslog can be checked from anywhere in secure manner. Some of these are papertrail, logentries, sumo logic and syslog-ng.

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.