USING SWATCH WITH SYSLOG-NG

** Unless otherwise instructed, run all these commands as tldadmin

1. Now that syslog-ng is up and running, we're going to modify its
   configuration so that it will log everything to a SINGLE file:

   Edit /etc/syslog-ng/syslog-ng.conf, 

	NOC-TLDX> sudo pico /etc/syslog-ng/syslog-ng.conf

   Add this at the end of the file:

destination everything {
  file("/var/log/everything"
    template("$DATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no)
  );
};
log { source(s_all); destination(everything); };



   This will enable logging of ALL messages to a single file, so that
   we can run a monitoring script on the messages.

   Then create the log file:

	NOC-TLDX> sudo touch /var/log/everything

   and restart syslog-ng:

	NOC-TLDX> sudo /etc/init.d/syslog-ng restart

2. It is recommended to enable a daily automated script to rotate the 
log file so it doesn't grow too big:

	NOC-TLDX> sudo pico /etc/logrotate.d/everything

   and put the following in the file:

/var/log/everything {
  daily
  copytruncate
  rotate 1
  postrotate
    /etc/init.d/swatch restart
  endscript
}

2. Install swatch

	NOC-TLDX> sudo apt-get install swatch

3. Create /etc/swatch.conf

	NOC-TLDX> sudo pico /etc/swatch.conf

   and add the following lines:

# Portscan and/or sensitive port attempts
watchfor /SEC-6-IPACCESSLOGP: list \d+ (permitted|denied) (tcp|udp) ([a-fA-F0-9.:]+)\((\d+)\) -> ([a-fA-F0-9.:]+)\((\d+)\), \d+ packet/
        mail=monitoring,subject=Attempt to connect to $2/$5:$6 from $3:$4
        threshold track_by=$3, type=limit, count=10, seconds=600

(COPY PASTE THE ABOVE LINES!  Don't try to type them in!)

4. Install a mail server on your NOC:

	NOC-TLDX> sudo apt-get install postfix  

   (choose "Internet site" when asked)
   (accept default for System mail name - should be like NOC-TLDX.TLDX)

    	NOC-TLDX> sudo apt-get install mutt

    Create your mailbox by opening it for the first time:

    	NOC-TLDX> mutt -f /var/mail/tldadmin

5. Edit the /etc/aliases file:
	
	NOC-TLDX> sudo pico /etc/aliases

   Add the following alias to the file 

    	monitoring:  tldadmin

   Then run "newaliases" command to rebuild the aliases table

	NOC-TLDX> sudo newaliases

6. Start swatch:

	NOC-TLDX> sudo swatch -c /etc/swatch.conf --tail-file=/var/log/everything --daemon

   Check that it is running:

    	NOC-TLDX> ps ax | grep swatch

   You should see a line like the following:
 7165 ?        Ss     0:00 /usr/bin/swatch -c /etc/swatch.conf --tail-file=/var/log/everything --daemon

7. Ask another group to telnet to one of the ports mentioned in the ACLs you created on your router (22,23,25,110,143).  Your ACL is setup to catch traffic coming from OUTSIDE your network to the INSIDE - you won't be able to test this configuration from the inside of the network.

8. Check that mails are coming in:

    	NOC-TLDX> mutt -f /var/mail/tldadmin
	
   Note the information contained in the message.  Which port did the 
   other group try to use?  What IP did the connection attempt 
   originate from?

References:
* http://www.gentoo-wiki.info/SSH/Swatch