1
00:00:00,06 --> 00:00:03,08
- [Instructor] Let's install syslog-ng

2
00:00:03,08 --> 00:00:06,00
on our Ubuntu router.

3
00:00:06,00 --> 00:00:24,00
Type sudo apt-get install syslog-ng ,

4
00:00:24,00 --> 00:00:27,06
press ENTER.

5
00:00:27,06 --> 00:00:34,06
Type Y and press ENTER.

6
00:00:34,06 --> 00:00:39,06
Let's check if our syslog-ng service is up and running,

7
00:00:39,06 --> 00:00:59,04
type systemctl status syslog-ng,

8
00:00:59,04 --> 00:01:01,06
press ENTER,

9
00:01:01,06 --> 00:01:04,07
it's active.

10
00:01:04,07 --> 00:01:08,01
Press Q to exit.

11
00:01:08,01 --> 00:01:12,05
The syslog-ng service is running on our Ubuntu router

12
00:01:12,05 --> 00:01:17,00
which is the same host where Snort is installed.

13
00:01:17,00 --> 00:01:19,09
We'll forward Snort log messages

14
00:01:19,09 --> 00:01:22,09
through the syslog-ng log service,

15
00:01:22,09 --> 00:01:25,01
then we'll forward the same log messages

16
00:01:25,01 --> 00:01:28,05
to a centralized log server.

17
00:01:28,05 --> 00:01:35,00
The centralized log server solution we'll be using is Kiwi.

18
00:01:35,00 --> 00:01:38,09
Let's go to the syslog-ng configuration file

19
00:01:38,09 --> 00:01:49,00
by typing cd /etc/syslog-ng/,

20
00:01:49,00 --> 00:01:50,07
press ENTER.

21
00:01:50,07 --> 00:01:54,01
Type ls, press ENTER

22
00:01:54,01 --> 00:02:00,01
and you can see that syslog-ng.conf file here.

23
00:02:00,01 --> 00:02:11,08
Type sudo nano syslog-ng.conf,

24
00:02:11,08 --> 00:02:14,03
press ENTER.

25
00:02:14,03 --> 00:02:19,07
Let's do a search and look for the term destination,

26
00:02:19,07 --> 00:02:23,01
press CTRL+W together,

27
00:02:23,01 --> 00:02:26,08
type destination,

28
00:02:26,08 --> 00:02:30,04
press ENTER.

29
00:02:30,04 --> 00:02:34,02
We'll create our own destination here to define

30
00:02:34,02 --> 00:02:38,07
the destination for the Snort log messages being forwarded

31
00:02:38,07 --> 00:02:44,04
to our centralized log server, Kiwi.

32
00:02:44,04 --> 00:02:48,07
Type destination,

33
00:02:48,07 --> 00:02:55,01
and then df ,standing for destination facility,

34
00:02:55,01 --> 00:03:05,03
underscore snort underscore remote.

35
00:03:05,03 --> 00:03:11,07
We'll be using UDP instead of TCP to send our log messages

36
00:03:11,07 --> 00:03:15,08
because we don't really need a reliable connection.

37
00:03:15,08 --> 00:03:20,03
UDP stands for User Datagram Protocol.

38
00:03:20,03 --> 00:03:23,09
Type the IP of the target log server,

39
00:03:23,09 --> 00:03:27,08
which is 10.0.0.5,

40
00:03:27,08 --> 00:03:39,00
udp 10.0.0.5 in double quotes,

41
00:03:39,00 --> 00:03:40,09
and then the port number,

42
00:03:40,09 --> 00:03:46,08
port which is 514 for logging,

43
00:03:46,08 --> 00:03:51,05
close parenthesis, semi-colon,

44
00:03:51,05 --> 00:03:54,06
our destination is now defined.

45
00:03:54,06 --> 00:03:59,00
The next step is to define our own log function

46
00:03:59,00 --> 00:04:02,05
so that we can forward our messages

47
00:04:02,05 --> 00:04:06,05
to the third party remote log server.

48
00:04:06,05 --> 00:04:12,04
Let's go down to the end of the file,

49
00:04:12,04 --> 00:04:16,05
type log,

50
00:04:16,05 --> 00:04:19,07
we first define what the source is,

51
00:04:19,07 --> 00:04:31,08
type source(s_src);.

52
00:04:31,08 --> 00:04:36,02
As you can see here, the syslog-ng.conf file defines,

53
00:04:36,02 --> 00:04:40,01
s_src, as all the messages coming from

54
00:04:40,01 --> 00:04:44,01
the local host including the messages originating

55
00:04:44,01 --> 00:04:50,01
from our Snort program.

56
00:04:50,01 --> 00:04:53,07
Next we'll be using a filter, a predefined one here

57
00:04:53,07 --> 00:04:57,03
which is f_auth,

58
00:04:57,03 --> 00:05:07,03
so type filter(f_auth);.

59
00:05:07,03 --> 00:05:11,02
Do you remember that one of the log facility types used

60
00:05:11,02 --> 00:05:15,06
by Snort was facility_auth.

61
00:05:15,06 --> 00:05:19,05
The last step is to specify the destination,

62
00:05:19,05 --> 00:05:21,04
we defined all year.

63
00:05:21,04 --> 00:05:32,05
Type destination df_snort_remote.

64
00:05:32,05 --> 00:05:37,01
We're now done with editing our syslog-ng.conf file.

65
00:05:37,01 --> 00:05:42,06
Let's save it by pressing CTRL and X keys together.

66
00:05:42,06 --> 00:05:47,05
Type Y and let's accept the current file name,

67
00:05:47,05 --> 00:05:50,08
by pressing ENTER.

68
00:05:50,08 --> 00:05:53,04
Let's restart syslog-ng

69
00:05:53,04 --> 00:05:58,02
so that we get to use the updated configuration information.

70
00:05:58,02 --> 00:06:12,03
Type sudo systemctl restart syslog-ng,

71
00:06:12,03 --> 00:06:14,03
press ENTER.

72
00:06:14,03 --> 00:06:18,07
Our syslog-ng server has just restarted

73
00:06:18,07 --> 00:06:20,09
without any problems.

74
00:06:20,09 --> 00:06:23,05
What this means is that from now on,

75
00:06:23,05 --> 00:06:26,05
all the Snort log messages are being forwarded

76
00:06:26,05 --> 00:06:30,00
to our remote centralized log server.