Working with Syslog Data

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Security Training Architect I in Content

Length

00:30:00

Difficulty

Beginner

In this lab, we will install, configure, and use Logwatch, which is an application that helps identify events that need review. We'll then manually review syslog data for VNC events and export the syslog data to a text file.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Working with Syslog Data

Introduction

In this lab, we will install, configure, and use Logwatch, which is an application that helps identify events that need review. We'll then manually review syslog data for VNC events and export the syslog data to a text file.

Setting Up the Environment

We will connect to our lab server using VNC. The IP address and login credentials are provided on the lab instructions page.

VNC connections will be different for each operating system.

For Mac users:

  1. Open Finder.
  2. Press Command+K on your keyboard to bring up the Connect to server window.
    • Alternatively, expand Go in the menu at the top of the screen and click Connect to Server.
  3. In the Connect to Server window, connect to vnc://<IP_ADDRESS>:5901, making sure to replace <IP_ADDRESS> with the IP address you were provided in the hands-on lab instructions.

Install and Run Logwatch

Install Logwatch and Mailutils

  1. Run an update.
    sudo apt-get update
  2. Enter your password at the prompt.
  3. Install Logwatch.
    sudo apt-get install -y logwatch
  4. Use the tab key to highlight OK, then press "Enter/Return".
  5. For Mail Configuration, select Local Only, and press "Enter/Return".
  6. For System Mailname, use the down arrow to hightlight Ok and press "Enter/Return".
  7. Install Mailutils.
    sudo apt-get install -y mailutils

Run Logwatch and View the Results

  1. Manually run Logwatch.
    sudo logwatch --detail Low --mailto root --service All --range today
  2. Open the mail report.
    sudo mail
  3. There should be two entries. Type the number of the Logwatch entry (e.g., 2), and press Enter.
  4. Use your spacebar to scroll through the report.
  5. Press CTRL+X, or your system's equivalent, to exit the report.
  6. Type exit to close the mail application.

Manually Review and Export Syslog Data

Manually Review Syslog Data

  1. View the contents of the syslog file.
    sudo cat /var/log/syslog | grep vnc 
  2. Scroll through the syslog data and view the entries pertaining to VNC activity.

Export the Syslog Data to a Text File on the Desktop

  1. Explort the syslog data to a file called syslog.txt.
    sudo cat /var/log/syslog > /home/cloud_user/Desktop/syslog.txt
  2. From your desktop, open the exported file using Gedit (or another text editor).
  3. Click Search > Find, and type "VNC" in the search box.
  4. Scroll through the highlighted text to view entries pertaining to VNC activity.

Conclusion

Congratulations, you've successfully completed this hands-on lab!