Skip to content

How to Use It

Enable command logging (Currently supported for Debian-based images)#

Command logging is enabled on host VMs by using several Ansible roles. If the organizer wants to log terminal commands, these roles must be added to the sandbox definition’s playbook. (More about sandbox definition creation: Create Sandbox Definition)

Warning

To forward logs from host VM to the MAN the KYPO Sandbox Forward to MAN Ansible role must be enabled with any combination of before mentioned roles. If this role is not added to the sandbox definition, logged data will not be accessible.

Accessing logged data#

The training organizer can access all logged data (training events or commands) by exporting the training instance in the Training Instance Overview. All data can be found in the exported archive in the corresponding files stored in the JSON format.

Archive

Local deployment with vagrant#

If you are using the local vagrant deployment configuration from the kypo-crp project and want to access logged data via the Training Instance Overview, you need to additionally set up the forwarding from MAN to your local machine. To manually set up this forwarding, follow these steps.

1. Create a new port forwarding rule in VirtualBox Manager (configured on Ubuntu):

Open the VirtualBox Manager, and in the Advanced Network settings of your KYPO VM session, click on the Port Forwarding button:
VirtualBox settings

The Port Forwarding Rules create a new rule for log forwarding with Guest IP of 172.19.0.22, Guest Port of 515, and with any Host port, e.g., 8015. For example, the Log Forwarding rule:

PortForwardingRules

2. Set the KYPO Head IP for sandbox service:

Open the kypo-sandbox-service-config.yml file (located in the /provisioning/roles/kypo-crp-configuration/templates/configuration/sandbox-service/kypo-sandbox-service-config.yml) and under the application_configuration uncomment and set the kypo_head_ip to the IP address of your local machine.

Note

If you don’t uncomment the kypo_head_ip attribute, all logs will be stored on the MAN in the /data/idm-logs/man.log file.

Note

You can check if your data are getting into the ELK infrastructure by using the following command inside the elasticsearch docker container to list all data stored in the Elasticsearch:

curl -XGET "http://localhost:9200/kypo*/_search?pretty=true"

3. Start the KYPO platform:

After the kypo-sandbox-service-config.yml is updated, you can start the KYPO platform (if the platform is already running, you must restart it) using the following command in /vagrant directory:

docker-compose up

4. Update syslog-ng configuration in the MAN:

After you have built your sandbox, you need to change the forwarding of the syslog-ng in the MAN. Access the MAN via ssh (How to access MAN: Sandbox SSH Access). When you are in the MAN open the syslog-ng log forwarding configuration:

sudo vim /etc/syslog-ng/conf.d/forward-rfc5424-messages.conf

Here in the destination d_kypo_head section change the port(515) to the Host port you set in the VirtualBox Manager in the first step and save your changes. Following the example from the first step your configuration should look like this (with an exception in IP address, which should be the one you set in the second step):

# EVENTS Log Source
source s_host {
    network(
       ip(0.0.0.0) 
       port(514) 
       transport(tcp)
       flags(syslog-protocol)
    );
};

destination d_kypo_head {
    network(
        "147.251.69.18"
        port(8015)
        transport(tcp)
        ip-protocol(4)
        flags(syslog-protocol)
    );
};

# EVENTS Log Pairing
log {source(s_host); destination(d_kypo_head);};

5. Restart the syslog-ng service on MAN:

As the last step you need to the restart syslog-ng service on the MAN by using the following command:

sudo systemctl restart syslog-ng.service

Wait a few seconds until the syslog-ng restarts.