Monday, February 23, 2009

Linux Admin in a Windows corporation

Over the next few months, I'm going to be writing about the tools, software, and problems/solutions I'm having being a linux admin in a windows corporation, everything so far runs on various versions of Windows, from windows 2000 right through to 2008 enterprise edition in a fair number of its guises.

It's not been too bad so far, I have Windows 7 running inside Virtualbox on my Kubuntu desktop for things that absolutely require windows and some office stuff (like our corporate intranet site) but other than that I've been using kubuntu as my main machine.

I've already implemented a squid proxy for some sites in our DMZ so that we can plug that hole in our firewall and allow them access out to the internet without hopping back to our internal network to the corporate ISA server.

I've also got Nagios running alongside Splunk for Monitoring and SysLog collection for Windows Servers, they are running quite nicely but definitely need some time fettling with them, I have to say the 15min guide for Nagios on their new site is actually lying, it doesn't take anywhere near 15 minutes, its on the good side of 10!

Anyway, enough for now.

Friday, February 13, 2009

Central Syslog for Servers

EDIT: This post was written in a hurry but I promise I will come back to it soon to elaborate.

There's something incredibly useful about not having your server logs only on the server itself, the first is when someone compromises your server, plays about with it a bit and then deletes the log files.
The second is having all your log files in one place so you can run tools like Splunk on them.

This is how you go about doing it. I will assume that the syslog server (where the logs go to) is running some variation of Linux, these instructions will be largely focussed on Debian.

/etc/init.d/sysklogd stop
edit /etc/sysklogd.conf
change syslogd "" to syslogd "-r -m0"

This will allow remote machines to log to this (-r) and will remove the --MARK-- (-m0) that plagues your logs, I'm still in 2 minds about removing the "mark" as it lets you know that your logs are being written to, but on a large network there will (most likely) always be something somewhere writing to a log file.

okay, next open up /etc/syslog.conf and add

local7.debug /var/log/enterprise.log

this will allow Cisco and Windows devices to log to this machine.

/etc/init.d/sysklogd start

DONE on the server

On Windows Clients

Download SNARE from intersect Alliance install it and don't use the web interface.

run regedit and edit HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService\

in config, change the delimiter to be " " (i.e. a space)
in network change the destination to be your syslog server
and also in network check that the port is set to 514, this is the default.