Synopsis

This package has been created as a way to deploy a containerized central logging server quickly. The hierarchy is meant as a modular system. Logs are maintained on the central and accessible outside of the docker container.

Roadmap

See : https://github.com/guardsight/gsvsoc_docker-system-of-record/wiki/Roadmap

Overview

This is a snapshot to help understand what is going on. Assume overview is running as a docker service on a physical host or virtual machine.

	
                        ------------------------------------------
                        |                                        |
            601/TCP     |        -------------                   |
            514/UDP     |        | Syslog-ng |                   |
        Syslog In --->  | --->   |    Docker |                   |
                        |        | Container |                   |
                        |        -------------                   |
                        |                |                       |
            Flat File   | <--------------|                       |
/logs/HOSTS/$IP/$Date/* |                |                       |
                        |                |    -------------      |
                        |                 --->| Optional  |      | Optional Access Calls
                        |                     |   Docker  |      | <-------
                        |                     |Containers |      |
                        |                     -------------      |
                        |                    Elastic             |
                        |                    Kibana              |
                        |                    Fleet               |
                        ------------------------------------------

Hardware Requirements

• Memory : At minimum 8GB of ram. Provision additional RAM as needed.
• Processor : At minimum 4 cores.

Prerequisites

• Sudo access to a debian linux box
• Internet access to download software
• The instructions below are for an Ubuntu 16+ distribution, they can be modified for a CentOS installation.

Installation

Install Dependencies

Single Script

1. Run the installation script
2. sudo bash ./setup-system-of-record.sh

Manual

1. Install latest updates and docker

   1. sudo apt update
   2. sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common
   3. curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
   4. sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
   5. sudo apt update
   6. sudo apt-get install -y docker-ce

2. Install Docker Compose

   1. sudo curl -L "https://github.com/docker/compose/releases/download/1.26.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
   2. sudo chmod +x /usr/local/bin/docker-compose

3. Prep directories

   1. sudo mkdir -p /opt/secops
   2. sudo mkdir -p /logs/HOSTS

4. Install git and jq

   1. sudo apt install -y git jq

Configuration

1. Make sure you have enough vm mappings available
   1. sudo sysctl -w vm.max_map_count=262144

Set up permissions

1. Create a local logs group
   1. sudo groupadd -g 1111 logs
2. Create a local user and add to logs group
   1. sudo useradd -u 1111 -g 1111 logs
3. Change ownership and permisisons of /logs and /opt/secops directories
   1. sudo chown -R logs:logs /logs
   2. sudo chmod -R 750 /logs
   3. sudo chown logs:logs /opt/secops
   4. sudo chmod 770 /opt/secops
   5. sudo usermod -aG logs $(whoami)
4. Refresh user groups
   1. newgrp logs
   2. Note: if this is an issue, log off the machine and log back on.

Download Package

1. cd /opt/secops
2. git clone https://github.com/guardsight/gsvsoc_docker-system-of-record.git
3. cd /opt/secops/gsvsoc_docker-system-of-record

Copy Prebuilt Helper Scripts

1. Add script file to profile.d
   1. sudo cp /opt/secops/gsvsoc_docker-system-of-record/99-infosec.sh /etc/profile.d/
   2. sudo chmod +x /etc/profile.d/99-infosec.sh

Build and Start

1. cd /opt/secops/gsvsoc_docker-system-of-record
2. sudo docker-compose -p 'gsvsoc-system-of-record' up --build -d
3. The service should be up within 20 seconds

Stop Container

1. cd /opt/secops/gsvsoc_docker-system-of-record
2. sudo docker-compose -p 'gsvsoc-system-of-record' down

Clean up Containers

1. cd /opt/secops/gsvsoc_docker-system-of-record
2. sudo bash docker-cleanup.sh

Update

1. cd /opt/secops/gsvsoc_docker-system-of-record
2. sudo docker-compose -p 'gsvsoc-system-of-record' down
3. sudo bash docker-cleanup.sh
4. git pull
5. sudo docker-compose -p 'gsvsoc-system-of-record' up --build -d
6. The service should be up within 20 seconds

Usage

Raw logs

The logs are stored in /logs/HOSTS/{HOST}/{DATE}/messages.log[.gz]
You can zgrep through these logs and correlate or filter down the data you want
NOTE: This data will be there until the data is moved or purged.

User Management

To read the messages without using sudoer permissions, you need to be added to the logs group.

1. sudo usermod -aG sudo USERNAME

Scheduled Tasks

1. /etc/cron.daily/GSVSOC-logs-compress.sh
   1. Runs daily and compresses the messages.log files in /logs/HOSTS

Install CronJobs

1. cd /opt/secops/gsvsoc_docker-system-of-record
2. sudo cp cronjobs/daily/* /etc/cron.daily/

Debugging

Follow container logs

1. sudo docker logs --follow syslog-ng

Test Case

1. The following is meant to be run from the parent machine
2. echo "testing_tcp" | nc -w1 127.0.0.1 601
3. echo "testing_udp" | nc -u -w1 127.0.0.1 514
4. Wait at least 20 seconds, and then verify the log has appeared
5. Check raw logs for existence
   1. zgrep -sE "testing_((tcp)|(udp))" /logs/HOSTS/*/"$(date +'%F')"/*

See

• Instruction:W-0021_-_How-To_Create_A_Syslog_Infrastructure