Debian, RedHat: /var/log/*

• lastlog
• dmesg
• messages (Padrão RedHat)
• syslog (Padrão CentOS)
• lastb
• last
• /etc/rsyslog.conf
• echo "cron.* /var/log/cron.log" > /etc/rsyslog.d/cron.conf && systemctl restart rsyslog (Servidor Ubuntu)

• /etc/logrotate.d/
• Criação do arquivo de rotate para o cron
• logrotate -f /etc/logrotate.conf
• ls -latr /var/log/cron
• cat /etc/crontab
• ls /etc/cron.daily/
• /var/log/secure

• sudo apt install aditd -y
• /var/log/audit/audit.log

• Interface entre uma aplicação e o Kernel do Linux

• auditctl -a exit,always -F arch=b64 -S clock_settime -F key=changehour && auditctl -l
• tail /var/log/audit.log
• ausyscall --dump
• auditctl -l >> /etc/audit/rules.d/audit.rules && systemctl restart auditd

• ausearch -k changehour
• ausearch -x /usr/bin/crontab
• aureport --summary
• aureport -m

• PAM são módulos para auditoria específica nos sistemas Linux

• ls -l /etc/pam.d/
• echo "session required pam_tty_audit.so disable= enable=root log_passwd" >> /etc/pam.d/common-password*
• echo '-a always,exit -F arch=b64 -F euid=0 -S execve' >> /etc/audit/rules.d/audit.rules
• echo '-a always,exit -F arch=b32 -F euid=0 -S execve' >> /etc/audit/rules.d/audit.rules
• tail -f /var/log/audit.log
• apt install audispd-plugins -y
• ls -l /etc/audit/plugins.d/
• tail -f /var/log/messages

• Habiilitar as configurações da porta 514 dentro do rsyslog.conf

• echo "template (name="LogRemoto" type="string" string="/srv/log/%HOSTNAME%/%PROGRAMNAME%.log")" > /etc/rsyslog.d/template.conf
• echo ". ?LogRemoto" >> /etc/rsyslog.d/template.conf
• mkdir /srv/log && chown syslog:syslog -R /srv/log

• Dentro dos servidores Client's habilitar a coleta remota

• echo '. @@graylog' >> /etc/rsyslog.conf && systemctl restart rsyslog

• Graylog

• apt install rsyslog-gnutls gnutls-bin -y
• mkdir /etc/rsyslog-keys
• certtool --generate-privkey --outfile ca-key.pem && chmod 400 ca-key.pem
• certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
• certtool --generate-privkey --outfile webserver-key.pem --bits 2048
• certtool --generate-request --load-privkey webserver-key.pem --outfile webserver-request.pem
• certtool --generate-certificate --load-request webserver-request.pem --outfile webserver-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
• scp ca.pem webserver usuario@webserver:/tmp*

• WebServer

• yum install rsyslog-gnutils -y
• mkdir /etc/rsyslog-keys
• mv /tmp/ /etc/rsyslog-keys/*

• DEBIAN_FRONTEND=noninteractive apt install mysql-server mysql-client mysql-common rsyslog-mysql -y
• mysql -u root -e 'CREATE DATABASE Syslog;'
• mysql -u root -D Syslog < /usr/share/dbconfig-common/data//rsyslog-mysql/install/mysql
• mysql -u root -D Syslog -e "CREATE USER rsyslog@localhost IDENTIFIED BY 'rsyslog';"
• mysql -u root -D Syslog -e 'GRANT ALL ON Syslog. TO rsyslog@localhost;'*
• vim /etc/rsyslog.d/mysql.conf Incluir login e senha da base
• systemctl restart rsyslog
• mysql -u root -D Syslog -e 'SELECT ID, fromHost, Message FROM SystemEvents;'

• mysqldump Syslog > backup-banco-syslog.sql
• mysqldump Syslog SystemEvents > backup-tabela-syslog.sql
• mysql -u root -D Syslog -e 'DROP TABLE SystemEvents;'
• mysql -u root -D Syslog < backup-tabela-syslog.sql
• **cp /opt/bkp-banco.sh /usr/local/bin/ && chmod u x /usr/local/bin/bkp-banco.sh && mkdir /opt/backup"
• cp /usr/local/bin/bkp-banco.sh /etc/cron.daily/bkp-banco
• run-parts /etc/cron.daily/ Força a execução do cron no exato momento

• apt install -y apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen
• vim /etc/environment , JAVA_HOME="/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/"
• Instalação do MongoDB conforme a doc Oficial
• Instalação do ElasticSearch conforme a doc Oficial
• Instalação do Graylog conforme a Doc Oficial
• pwgen -N 1 -s 96
• echo -n leandro | sha256sum
• vim /etc/graylog/server/server.conf

• Configuração dos hosts apontando para o Syslog via SyslogUDP
• for count in $(seq 1 10); do curl http://192.168.100.61:8081; done
• Regex Extractor: HTTP/1.1"(. ?)\s. para extrair os campos com o intuito de criar os Dashboards
• Alerta para envio de email pelo Graylog
• Alerta para envio de notificações via RocketChat

• Instalação do ElasticSearch, Logstash, Filebeat, Metricbeat

• ** yum install awslogs -y**
• docker container run -d --name nginx --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group=nginx-logs --log-opt awslogs-create-group=true -p 80:80 nginx