home.lab: Logging (part 5)

lab

When practicing new attacks or other things in lab, it is good to know what happens under the hood. That’s where logging comes in handy.

I’ll use Graylog for log collection and processing.

Docker install

Loghost will run on Ubuntu 20.04 LTS and Docker. First we need to add docker:

 $ sudo apt-get remove docker docker-engine docker.io containerd runc
 $ sudo apt update
 $ sudo apt-get install ca-certificates curl gnupg lsb-release 
 $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
 $ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
 $ sudo apt-get update
 $ sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

Now we should have Docker installed, let’s try it

 $ sudo docker run hello-world

Everything went smoothly, so we proceed to Graylog install.

Graylog install

Graylog has an excellent documentation that describes install process thoroughly

Graylog install (docker)

If you follow that guide, everything should install according to plan.

Logbeat

In my mind the trickiest part of whole logging setup is log forwarding on the client computer. Sometimes documentation is bit messy and it is not always clear where all the config files should reside. Let’s try to figure this one out.

For Windows servers and client we will use Winlogbeat and Syslog for Linux servers.

Winlogbeat

  1. Download Winlogbeat client
  2. Edit winlogbeat.yml file
  3. Install service
  4. Test

winlogbeat.yml

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: System
  - name: Security
  - name: Microsoft-Windows-Sysmon/Operational
  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
  - name: ForwardedEvents
    tags: [forwarded]
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
  pipeline: "winlogbeat-%{[agent.version]}-routing"
output.logstash:
  hosts: ["graylog.home.lab:5044"]
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

Syslog

By default your server should have syslog installed already. Setting syslog daemon to forward its log to Graylog is very simple

$ cd /etc/rsyslog.d/
$ cat >> logforward.conf
  *.* @graylog.home.lab
  ^D
$ systemctl restart rsyslog
$ logger test

Now your setup should be finnished and server is sending logs to Graylog.

Next we need to add syslog input to Graylog.

  1. Go to Graylog admin panel
  2. Select “System” -> “Inputs” -> “Select input dropdown menu” -> “Syslog UDP” -> “Launch new input”
  3. Give Title to this new input “Linux syslog” should be ok
  4. Click “Save”
  5. Click “Show received messages” and confirm that setup is working

Repeat the steps we did earlier with all the computers you want to monitor and enjoy your new logfeed.

Sysmon

If you want to improve your log game, I highly recommend installing sysmon which you can download from Microsoft. It is included as a part of SysInternals Suite, which again has lots and lots of useful tools.

SwiftForSecurity has an excellent config-file you can download from GitHub:

sysmonconfig-export.xml

  1. Download Sysinternal Suite and unzip it
  2. Copy sysmonconfig-export.xml to this directory
  3. From elevated prompt: sysmon.exe -accepteula -i sysmonconfig-export.xml

Now you have Sysmon installed and if you like, you can start digging into its configuration and experimenting with it.

Ok, that’s it. Hopefully you got something out of this and I’ll see you in next post.