> For the complete documentation index, see [llms.txt](https://paul-gleason.gitbook.io/sec-350-enterprise-and-network-security-controls-1/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://paul-gleason.gitbook.io/sec-350-enterprise-and-network-security-controls-1/labs/lab-2.2-syslog-organization-on-log01.md).

# Lab 2.2: Syslog Organization on log01

### Summary:

During this lab we setup mgtm01 and setup the fw to allow connection to the 172.16.150.0/24 network. Then setup chrome remote desktop on mgmt01, ssh key authnetication from mgmt01 to log01. Then setup authpriv messages for rsyslog from web01 and vyos.

### Network Diagram:

<figure><img src="/files/Gz8AubPKzQEgRBJGOwXv" alt=""><figcaption><p>Current Network Diagram</p></figcaption></figure>

### Vyos Password Change:

I actually did this during our first lab because I thought it was a gotcha. [link](/sec-350-enterprise-and-network-security-controls-1/labs/lab-1.1-routing-and-dmz-vyos-log.md#vyos-change-user-passwd)

### SSH keybased authentication:

```
ssh-keygen
ssh-copy-id <user>@<ip>
```

### Authpriv Messages on Linux Systems:

#### Server

Modify the /etc/rsyslog.conf

* Comment out those 4 lines

<figure><img src="https://lh3.googleusercontent.com/a9xElbIqhOqN9B3K8obHf1hop5oRwyWqqbKu2CUtTkwM8yEZQXBlhg66tFXv_5EHjZE1YByxlxBuT0R5vaSkbsycWAJ0sVC53BFuuWw9FJM5N7kxv61ohJ8tEJz4xGdYTs9GgksLgTNdoIM96g1A2DSChU2PJfblxOQMucSTjNE3ckyyP-Mh84mpXmYtcQ" alt=""><figcaption></figcaption></figure>

Add Custom config to /etc/rsyslog.d/\<config\_name>.conf

<figure><img src="https://lh6.googleusercontent.com/tE6l2O_co6mOzlBLmK9eXzZd5djryNTr37skdPILM79rU_4LUQVtYIuq_-JZJSqz4tzUtCzZmMfuBzwnN86XZqKab14-RCy1WEktzx8Rt4NP_TJc0qKJCRUFRFGMRISlTqtDLnGmJ5jSvGYMMM8myRbvoBTd4zhXyVm0kt1mMsgdJ-AynRIx7qEl1FMDGw" alt=""><figcaption><p>Config we used</p></figcaption></figure>

With this config logs will now be output like:

<figure><img src="https://lh6.googleusercontent.com/5o7hdsKuzTvc3eoCtDu-vLNrkmFBB-7Ua1B2qHSZQjrNft87fYSMUTYjmp-cptR2x3bwy5RFNByWnzfw8PCgvdDWP2FdEw6IIXf18aYK_qiK0QmvNWTGIvAFewkvyyAKBT8iGbchzukefuawWTdqjt7RxQqBXh9_aH1-uLJw_M5rSHH2KqFrnTYjWnSOjw" alt=""><figcaption></figcaption></figure>

#### Client:

Edit the rsyslog.d/ config

```
sudo nano /etc/rsyslog.d/sec350-client.conf
```

* Add this line (IP is log machine)

<figure><img src="https://lh5.googleusercontent.com/Df4-c75wKQUUGwXa_VP9S3q5GTimBVAxd1H1AdjJWMVzqqcAkTRunv7Ek1lWgXVkRBPxgH0L85gWXf1pkCPDtVKVS3E4FPDAa2A44ki_7AfgcN3zzpxb_aknCeDgUlelBm268Qbi8MFBqxVM8PnbIazzD4WvZrM5KYSHROpdEISA87zeBnRLRUZisIf7CQ" alt=""><figcaption></figcaption></figure>

Restart rsyslog.service

```
sudo systemctl restart rsyslog.service
```

### Forward Authentication events from vyos:

```
Configure
Set system syslog host <log-ip> facility authpriv level info
Commit
Save
```

### Notes and Difficulties:

SE linux got me once again... I had scp'd to the user home dir the 03-sec250.conf file to log1 and then mv'd it to /etc/rsyslog.d/. This made it so the file had kept the user\_home\_t tag seen below&#x20;

<figure><img src="https://lh6.googleusercontent.com/FdMy9b84FZOoct8gJbehzEmQQEvlvnpjm12a1BhFIRS71iQBQtCW49-JmE2oOrk70BmTJvhxYCtXHMK0lrqofKHGHIUyNOnjF6NnYF0BBu15bB4rGHydUkjtUi_lE9L8B3ulXkZXAq1vcjh4A2c7vVpbdRo1LitumPE0Hy4GeByBmC7yl6g5ZDdBenTHVw" alt=""><figcaption></figcaption></figure>

Fix:

<pre><code>cat &#x3C;file> > &#x3C;file>.bak 
<strong>rm &#x3C;file>
</strong>mv &#x3C;file>.bak &#x3C;file> 
</code></pre>

This will make a new file and remove the user\_home\_t tag and allow SE linux to use the config file.

### VYOS Config:

```
set interfaces ethernet eth0 address '10.0.17.127/24'
set interfaces ethernet eth0 description 'SEC350-WAN'
set interfaces ethernet eth1 address '172.16.50.2/29'
set interfaces ethernet eth1 description 'PAUL-DMZ'
set interfaces ethernet eth2 address '172.16.150.2/24'
set interfaces ethernet eth2 description 'PAUL-LAN'
set nat source rule 10 description 'NAT FROM DMZ to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.50.0/29'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM LAN to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.150.0/24'
set nat source rule 20 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '172.16.50.0/29'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'fw1-paul'
set system name-server '10.0.17.2'
```
