Many companies understandably have a very relaxed “security posture”. I mean it’s not a very pleasant thing to think an unauthorized person may be trying to login to your server.
There is a really easy way though to keep an eye on your network system using software by Splunk.
This sophisticated software takes gig’s of data from devices such as Windows Servers, Cisco Firewalls and Routers and Switches, as well as Linux machines and summarizes it so that you can easily find patterns in the data, detect system misuse, and protect your business.
Here is an example of report out of my Splunk server showing a targeted attack to a SQL Server…
It’s really easy to configure Windows Servers.
Configuring Linux servers and Cisco devices is a little tricky. I’ve provided the syntax below…
Linux:
STEP#1: Verify whether using rsyslog/syslog-ng/syslog.conf
ls -d /etc/*syslog*
STEP#2: Modify *.conf file with vi or gui editor (ex: syslog.conf)
# The authpriv file has restricted access.
authpriv.* /var/log/secure
authpriv.* @<syslog-srv-ip>
STEP#3: Restart the syslog service
service syslog (or rsyslog if using) restart
Cisco ASA Firewall:
clock timezone EST -5
clock summer-time EDT recurring
ntp server <ip>
logging enable
logging timestamp
logging trap informational
logging host inside <syslog-srv-ip>
Cisco Router / Switch:
service timestamps debug datetime localtime msec
service timestamps log datetime localtime msec
clock timezone EST -5
clock summer-time EDT recurring
ntp server <ip>
logging trap informational
logging <syslog-srv-ip>
