Centralizing Server Authentication Logs for Better Security and Insights

in

Configure Vector to parse your auth.log file using regular expressions. This will allow you to extract key information such as username, error messages, and logname. 3. Set up a sink that sends the parsed logs to Better Stack for centralized monitoring. You can do this by adding the following configuration to your vector.yaml file:

# This script sets up two sinks, one for printing the parsed logs and one for sending them to Better Stack for centralized monitoring.

sinks:
  print: # Name of the first sink
    type: "console" # Specifies the type of sink, in this case, it will print to the console
    inputs: "parse_auth_log" # Specifies the input source for the sink, in this case, it will use the parsed logs from the "parse_auth_log" source
    encoding: # Specifies the encoding for the sink
      codec: "json" # Specifies the codec to use for encoding, in this case, it will use JSON format

  better_stack_http_sink: # Name of the second sink
    type: "http" # Specifies the type of sink, in this case, it will send the logs via HTTP
    method: "post" # Specifies the HTTP method to use, in this case, it will use POST
    inputs: "parse_auth_log" # Specifies the input source for the sink, in this case, it will use the parsed logs from the "parse_auth_log" source
    uri: "https://in.logs.betterstack.com/" # Specifies the URI for the Better Stack endpoint to send the logs to
    encoding: # Specifies the encoding for the sink
      codec: "json" # Specifies the codec to use for encoding, in this case, it will use JSON format
    auth: # Specifies the authentication method to use for the sink
      strategy: "bearer" # Specifies the authentication strategy, in this case, it will use a bearer token
      token: "<your_source_token>" # Specifies the bearer token to use for authentication, this should be replaced with the actual token for the source.

4. Restart Vector to apply the changes. 5. Visit Better Stack’s Dashboards section and create a new dashboard using their predefined templates or start from scratch with a blank canvas. 6. Add a chart that displays authentication activity over time by selecting the Linux Authentication Logs source, clicking “Create Chart,” and choosing SQL expression as your query type. 7. Save the chart and add it to your dashboard. 8. Repeat steps 5-7 for additional charts or metrics you want to monitor. 9. Set up log fields for grouping purposes by creating a new field in Better Stack’s Fields section using SQL expressions that extract specific data points from your logs. This will allow you to easily filter and query your data based on these fields. To avoid overloading your server with too many log files, consider implementing back-pressure protocols that allow clients to send logs in a controlled manner rather than pushing them all at once. This can help prevent system downtime and ensure that you don’t lose any critical data during peak traffic periods. In terms of reliability, rsyslog has a contingency plan when it comes to bad forwarding by disabling the faulty module. However, in our architecture, if the server goes down, your client might risk losing log messages forever due to tight coupling between the client and server. To address this issue, we can use action queues in rsyslog to ensure that logs are sent reliably even when there is a temporary disruption in communication with the remote server.

SICORPS