1. Applicable scenarios
1. When large and medium-sized enterprises need to record the access of access users, when 3CDaemon was used in the past, it could only be used in small networks. When the amount of recorded data was too large, this example uses the cracked version of kiwi_syslog.
2. When network surveillance and police detect illegal access, they can provide external network access log records based on quintuple as a basis.
3. There are a large number of users on the intranet. When accessing the external network is complicated, electronic records of access within a certain period of time are retained.
2. Topology diagram and ideas
(1) Premise
1. The regional security policies between the devices are allowed, and the routes are open.
2. The internal network to the DMZ, the DMZ to the internal network, the internal network to the external network, and the external network back to the internal network can all communicate with each other.
3. The virtualization deployment has been completed. The vm server can communicate normally with the intranet. If you are not familiar with virtualization deployment, you can learn about it from the article written earlier.
4. When configuring the wiki_syslog service on vm server 2008, specify the IP address for receiving logs, which is the IP address configured on the logical link interface Eth-trunk bound to G1/02 and G1/0/3 of LSW1 from the firewall, that is The Eth-trunk is a Layer 3 interface ( note that during actual operation, the interface on the firewall is configured in Layer 2 mode. After joining the Eth-trunk link aggregation, configure the Eth-trunk logical interface to Layer 3 mode, and then Configure the IP address of the Eth-trunk interface in Layer 3 mode ).
(2) Ideas
1. When configuring the interface for receiving logs on the log server wiki_syslog, specify the IP address of the above-mentioned Eth-trunk interface, which can receive network traffic logs from the internal network accessing the server as well as network traffic logs from the internal network accessing the external network.
2. After using one physical server and virtualizing it into multiple vm servers, you can run a variety of different services on one virtualized physical server, and the services run independently, and there will be no port conflicts between the services.
3. The link between the firewall and the intranet area adopts Eth-trunk dual-link aggregation, which not only allows network traffic load balancing to run on two links, but also plays a redundant role. When one link After one link fails, the other link can still operate normally, ensuring uninterrupted business.
3. Configuration process (this example focuses on wiki_syslog)
(1) Huawei firewall configuration
1. After logging in to Huawei Firewall, click System from the top, and then select Log Configuration, Log Configuration on the left
2. Huawei Firewall Security Policy Configuration (omitted)
3. Routing Configuration (omitted)
Steps 2 and 3 are based on the specific actual environment , to complete the operation of opening up the network. For specific commands, please refer to the article written before.
(2) Install wiki_syslog on vm server 2008
Download address: Link: http://pan.baidu.com/s/1mhVr84S Password: ptas
1. After decompression, execute kiwi_syslog_server_9.5.0.setup.exe
2. Agree to the agreement, as shown below:
3. Installation can be done as a service It can also be done in the form of an application. The way to select a service in this example is as follows:
4. You can manually specify a statistics administrator, or you can use local system statistics. In this example, the default local is selected, as shown in the figure below:
5. Select the WEB access method for installing kiwi_syslog and check it, as shown below:
6. When selecting the components to be installed, we select the normal default option of NORMAL, as shown below:
7. Specify the installation path, here we install C by default Under the path of the disk, if you want to modify the installation path, click the browse button, as shown below. (However, we will put the path settings for saving the logs in another disk later. The path where the log files are saved will be pointed out in the following steps)
8. During the installation process, you will be prompted to install .net Framework 3.5. Do you want to download and install it? , as shown below: (In this example, we have manually downloaded a .net Framework4.5.2, so we only need to install it.)
9. Wait for the dotnetfx35.exe installation to complete, as shown below:
10. Wait for the completion of the component installation, as shown below:
11. Enter the installation of WEB access service, as shown below, click next to proceed to the next step.
12. The following components need to be installed. The first item skipped and another version was found, as shown below:
13. After completing the required After the prerequisites, the installation of the main application automatically starts, as shown below:
14. Wait for the prerequisites to be installed, as shown below:
15. Enter the WEB access installation wizard of kiwi_syslog, as shown below:
16. Accept the agreement, click next to install the next step
17. After the installation is completed, let the desktop, start menu, and quick launch bar display the kiwi_syslog program icon, as shown below:
18. Specify the installation path, as shown below:
19. Specify the root path of the site and the access port number, as shown below:
20. Specify the user name and password for WEB access to kiwi_syslog, as shown below:
21. You can go back to modify, or click install to start the installation, as shown below:
22. Wait for the installation to complete, as shown below:
23. Click finish to complete the installation, as shown below :
24. When you open it, you can see that the trial period is 14 days, as shown below, so you need to complete the cracking process next.
25. Open the task manager, find the 3 processes starting with syslog from the process, and end the processes one by one, as shown below. :
26. Replace the two files in the registration machine folder into the installation directory, as shown below:
27. After replacing the two files, open kiwi_syslog, execute enter license details in the help menu, enter the license agreement
28. Select non For internet registration, use offline registration, click next, as shown below:
29. Click the copy unique Machine ID button, and copy the machine code, as shown below:
30. It prompts that the machine code has been copied to the clipboard, click OK, as shown below:
31. When running the calculator, it prompts that a version of .net framework 4.0 or above needs to be installed, so we downloaded a .net framework 4.5.2
32. Install .net framework4.5.2 and start decompression, as shown below:
33. Enter the installation program, as shown below:
34. Accept the agreement and install, as shown below:
35. Wait for the installation progress, as shown below:
36. Complete .net framework4.5.2 After installation, execute the calculator to open it.
37. Paste the machine code copied in step 30 above into Enter your Unique Machine ID:, enter the user name, and then specify a later expiration date (that is, when the kiwi_syslog runs until it expires), click gernerate !, generate a license agreement file
38. Save the generated license agreement file REPT.lic.lic to the desktop, as shown below:
39. Return to the kiwi_syslog software, click the browse button, and save the REPT.lic just saved to the desktop .lic specifies the license agreement, click next, as shown below:
40. After importing the license agreement file, the kiwisyslog protocol is activated, as shown below,
41. Click finish to complete the activation of kiwi_syslog
42. After opening kiwi_syslog, after executing about kiwi syslog server from the help menu, you can see that the expiration date is August 1, 2088, which we set, indicating that the activation is successful.
(3) Configure wiki_syslog
1. Configure the file name, path, and size of a single saved log file saved in the wiki_syslog log file.
Note: 12 in the above figure refers to configuring the number of files saved in the log server. The maximum configurable number is 1,000, which can be configured according to the actual network The traffic configuration is generally saved for half a year to a year, and the traffic during the peak period is observed and calculated. In this actual combat, 300MB of log file capacity was required in 20 minutes, which is approximately 4TB in half a year.
2. Create a new scheduled task,
(1) Right-click schedule, add new schedule, and create a new scheduled task, as shown below:
(2) Record every 7 days in days.
Source field (set the path to temporarily store logs)
Destination field (set the final log storage directory)
After the settings are completed, click apply, then click OK to exit, and restart kiwi_syslog for the settings to take effect.
(3) Set the path for permanent storage of the log file. In this example, drive D is selected for storage, because C is the system drive. If the log file is stored for a longer time, it may become full, causing the operating system and log service system to fail to operate normally, as follows Figure:
3. Configure the protocol and port number for kiwi_syslog to receive logs, as shown below:
In this actual combat, we used Huawei firewall, UDP protocol, port 514, and entered the internal IP address of the firewall
data encoding: select UTF-8 , to prevent some Chinese output from becoming garbled.
4. Result verification
(1) Generated files
文件名称与大小,每个文件以300MB的大小分开,若生成的文件太大,打开时所需占用的内存较多,打开的时间长,所以我们本次实战配置300MB的日志文件大小,就分隔到下一个文件,如下图:
(2) Use Notepad to open a log file and the contents are as shown below:
(3) Access the kiwi_syslog server via WEB, use the server's IP + port number to view real-time data, as shown below: In
this example, the access address is:
http://192.168.0.21:8088
This article ends here. We hope to have more exchanges on the specific parameter settings of kiwi_syslog.