Posted January 19Jan 19 You are reading Part 9 of the 57-part series: Harden and Secure Linux Servers. [Level 1]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.System logs are essential for tracking activities, detecting security incidents, and troubleshooting issues. Without proper logging, it’s difficult to identify unauthorized access, configuration changes, or potential attacks.By enabling logging and monitoring, you gain visibility into system activity and can respond quickly to threats.How to Set Up Logging and Monitoring1. Implement Auditing with auditdThe auditd daemon monitors system events and tracks changes to critical files, helping you detect unauthorized access or modifications.How to Install and Configure auditd:Install auditd:sudo apt install auditd -y # For Debian/Ubuntu sudo yum install audit -y # For CentOS/RHELSet up file monitoring rules:Open the audit rules configuration file:sudo nano /etc/audit/audit.rulesAdd rules to monitor critical files:-w /etc/passwd -p wa -k passwd_changes -w /etc/shadow -p wa -k shadow_changes -w /var/log/auth.log -p wa -k auth_changes-w /etc/passwd → Monitors changes to the user account file.-p wa → Watches for write (modifications) and attribute changes.-k passwd_changes → Tags the event for easy filtering.Restart auditd to apply changes:sudo systemctl restart auditdView audit logs:sudo ausearch -k passwd_changes sudo aureport -aThese commands search for and report security events related to monitored files.2. Enable System Logging with rsyslogrsyslog collects system logs, making it easier to track user activity, errors, and security events.How to Enable rsyslog:Ensure rsyslog is installed:sudo apt install rsyslog -y # For Debian/Ubuntu sudo yum install rsyslog -y # For CentOS/RHELStart and enable the logging service:sudo systemctl enable --now rsyslogView system logs:sudo cat /var/log/syslog # General system logs (Ubuntu/Debian) sudo cat /var/log/messages # System logs (CentOS/RHEL) sudo cat /var/log/auth.log # Authentication logs3. Set Up Real-Time Log Monitoring with LogwatchLogwatch generates daily reports summarizing log activity, helping you identify suspicious behavior.How to Install and Use Logwatch:Install Logwatch:sudo apt install logwatch -y # Debian/Ubuntu sudo yum install logwatch -y # CentOS/RHELGenerate a log report manually:sudo logwatch --detail High --service sshd --range today(This provides a detailed report of SSH activity for today.)Schedule automatic daily reports (optional):Open the cron job configuration:sudo nano /etc/cron.daily/00logwatchAdd the following line:/usr/sbin/logwatch --output mail --mailto admin@example.com --detail High(This sends daily log reports to the admin’s email.)Best Practices for Logging and Monitoring✅ Enable centralized logging by forwarding logs to a remote syslog server.✅ Regularly review logs for unusual login attempts or system modifications.✅ Set up real-time alerts for critical log entries using tools like logwatch or fail2ban.✅ Use a log management system like ELK Stack (Elasticsearch, Logstash, Kibana) or Splunk for advanced log analysis.By enabling audit logging and system monitoring, you can track security events, detect intrusions, and investigate incidents effectively, ensuring a secure and well-monitored Linux server.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.