Category Archives: Network Infrastructure

Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

Setup The VPN Server and Client On Yosemite Server

OS X Server has long had a VPN service that can be run. The server is capable of running the two most commonly used VPN protocols: PPTP and L2TP. The L2TP protocol is always in use, but the server can run both concurrently. You should use L2TP when at all possible.
Sure, “All the great themes have been used up and turned into theme parks.” But security is a theme that it never hurts to keep in the forefront of your mind. If you were thinking of exposing the other services in Yosemite Server to the Internet without having users connect to a VPN service then you should think again, because the VPN service is simple to setup and even simpler to manage.

Setting Up The VPN Service In Yosemite Server

To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has two options available in the “Configure VPN for” field, which has two options:

  • L2TP: Enables only the L2TP protocol
  • L2TP and PPTP: Enables both the L2TP protocol and the PPTP protocol

vpn1

The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:

  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPNvpn2
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.vpn3
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over. vpn4
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (OS X using the profiles command, iOS using Apple Configurator or both using Profile Manager).

Once configured, open incoming ports on the router/firewall. PPTP runs over port 1723. L2TP is a bit more complicated (with keys bigger than a baby’s arm), running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629.

Using The Command Line

I know, I’ve described ways to manage these services from the command line before. But, “tonight we have number twelve of one hundred things to do with your body when you’re all alone.” The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required:

sudo serveradmin start vpn

And to stop the service:

sudo serveradmin stop vpn

And to list the available options:

sudo serveradmin settings vpn

The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app:

vpn:vpnHost = "mavserver.krypted.lan"
vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains = _empty_array
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses = _empty_array
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.pptp:enabled = yes
vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"
vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA"
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"
vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.210.240"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.210.254"
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"
vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0
vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains = _empty_array
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses = _empty_array
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.l2tp:enabled = yes
vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"
vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"
vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"
vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>
vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.210.224"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.210.239"
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"
vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "yaright"

To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no

To configure how long a client can be idle prior to being disconnected:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10

By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200

To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option:

sudo serveradmin fullstatus vpn

Which returns output similar to the following:

vpn:servicePortsAreRestricted = "NO"
vpn:readWriteSettingsVersion = 1
vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0
vpn:servers:com.apple.ppp.pptp:enabled = yes
vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128"
vpn:servers:com.apple.ppp.pptp:Type = "PPP"
vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"
vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth"
vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.l2tp:Type = "PPP"
vpn:servers:com.apple.ppp.l2tp:enabled = yes
vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0
vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP"
vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth"
vpn:servicePortsRestrictionInfo = _empty_array
vpn:health = _empty_dictionary
vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"
vpn:configured = yes
vpn:state = "STOPPED"
vpn:setStateVersion = 1

Security folk will be stoked to see that the shared secret is shown in the clear using:

vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "a dirty thought in a nice clean mind"

Configuring Users For VPN Access

Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar.

vpn5

At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services.

vpn6

At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. If not, click Manage Service Access, click Manage and then check the VPN box.

vpn7

Setting Up Client Computers

As you can see, configuring the VPN service in Yosemite Server (OS X Server 2.2) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so in OS X, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service.vpn8

At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create.

vpn9

At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings.

vpn10

At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection.

Conclusion

Setting Up the VPN service in OS X Yosemite Server is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into Yosemite at /usr/sbin/natd and can be managed in a number of ways. But it’s likely that the days of using an OS X Server as a gateway device are over, if they ever started. Sure “feeling screwed up at a screwed up time in a screwed up place does not necessarily make you screwed up” but using an OS X Server for NAT when it isn’t even supported any more probably does. So rather than try to use the server as both, use a 3rd party firewall like most everyone else and then use the server as a VPN appliance. Hopefully it can do much more than just that to help justify the cost. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

Setup The DCHP Service In Yosemite Server

DHCP, or Dynamic Host Control Protocol, is the service used to hand out IP addresses and other network settings by network appliances and servers. The DHCP Server built into OS X Server 3, installed on Yosemite running the Server app (aka Yosemite frickin’ server) is easy-to-use and fast. It’s pretty transparent, just as DHCP services should be. To install the service, open the Server app and then click on the Show button beside Advanced in the server sidebar. Then click on DHCP.

DHCP1

At the DHCP screen, you’ll see two tabs: Settings, used for managing the service and Clients, used to see DHCP leases in use by computers that obtain IP address information from the server. You’ll also see an ON and OFF switch, but we’re going to configure our scopes, or Networks as they appear in the Server app, before we enable the service. To configure a scope, double-click on the first entry in the Networks list.

DHCP2

Each scope, or Network, will have the following options:

  • Name: A name for the scope, used only on the server to keep track of things.
  • Lease Duration: Select an hour, a day, a week or 30 days. This is how long a lease that is provided to a client is valid before the lease expires and the client must find a new lease, either from the server you’re configuring or a different host.
  • Network Interface: The network interface you’d like to share IPs over. Keep in mind that you can tag multiple VLANs on a NIC, assign each an interface in OS X and therefore provide different scopes for different VLANs with the same physical computer and NIC.
  • Starting IP Address: The first IP address used. For example, if you configure a scope to go from 192.168.210.200 to 192.168.210.250 you would have 50 useable IP addresses.
  • Ending IP Address: The last IP address used in a scope.
  • Subnet Mask: The subnet mask used for the client configuration. This setting determines the size of the network.
  • Router: The default gateway, or router for the network. Often a .1 address for the subnet used in the Starting and Ending IP address fields. Note that while in DHCP you don’t actually have to use a gateway, OS X Server does force you to do so or you cannot save changes to each scope.
  • DNS: Use the Edit button for DNS to bring up a screen that allows you to configure the DNS settings provided as part of each DHCP scope you create, taking note that by default you will be handing out a server of 0.0.0.0 if you don’t configure this setting.

The DNS settings in the DHCP scope are really just the IP addresses to use for the DNS servers and the search domain. The search domain is the domain name appended to all otherwise incomplete Fully Qualified Domain Names. For example, if we use internal.krypted.lan and we have a DNS record for wiki.internal.krypted.lan then we could just type wiki into Safari to bring up the wiki server. Click the minus sign button to remove any data in these fields and then click on the plus sign to enter new values.

DHCP3

Click OK to save DNS settings and then OK to save each scope. Once you’ve build all required scopes, start the service. Once started, verify that a new client on the network gets an IP. Also, make sure that there are no overlapping scopes and that if you are moving a scope from one device to another (e.g. the server you’re setting up right now) that you renew all leases on client systems, most easily done using a quick reboot, or using “ipconfig /release” on a Windows computer. If you have problems with leases not renewing in OS X, check out this article I did awhile back.

So far, totally easy. Each time you make a change, the change updates a few different things. First, it updates the /etc/bootpd.plist property list, which looks something like this (note the correlation between these keys and the settings in the above screen shots.:





NetBoot

Subnets


allocate

dhcp_domain_name
no-dns-available.example.com
dhcp_domain_name_server

0.0.0.0

dhcp_domain_search

dhcp_router
192.168.210.1
lease_max
3600
name
192.168.210 Wi-Fi
net_address
192.168.210.0
net_mask
255.255.255.0
net_range

192.168.210.200
192.168.210.253

selected_port_name
en0
uuid
B03BAE3C-AB79-4108-9E5E-F0ABAF32179E


allow

bootp_enabled

deny

detect_other_dhcp_server

dhcp_enabled

old_netboot_enabled

relay_enabled

relay_ip_list




Settings from this file include:

  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the immediately below with en0 . For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the and immediately after the entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be 172.16.25.0.
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is 172.16.25.2 to 172.16.25.253.
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.

If you run the serveradmin command, followed by the settings verb and then the dhcp service, you’ll see the other place that gets updated:

serveradmin settings dhcp

The output indicates that:

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_secondary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:selected_port_name = "en0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_router = "192.168.210.1"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name_server:_array_index:0 = "192.168.210.2"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_mask = "255.255.255.0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_NBDD_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = "192.168.210.200"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:lease_max = 3600
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_search:_array_index:0 = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:descriptive_name = "192.168.210 Wi-Fi"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_primary_server = ""
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_end = "192.168.210.253"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_address = "192.168.210.0"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_enabled = yes
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:dhcp_domain_name = "internal.krypted.lan"
dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:WINS_scope_id = ""
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:dhcp_domain_name = "no-dns-available.example.com"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:routers = _empty_dictionary
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "192.168.210.201"
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "bridge0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:2 = "p2p0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:3 = "en1"
dhcp:logging_level = "MEDIUM"

Notice the correlation between the uuid string in /etc/bootp.plist and the arrayid entry for each subnet/network/scope (too many terms referring to the same thing, ahhhh!). Using the serveradmin command you can configure a lot more than you can configure in the Server app gui. For example, on a dedicated DHCP server, you could increase logging level to HIGH (as root/with sudo of course):

serveradmin settings dhcp:logging_level = "MEDIUM"

You can also change settings within a scope. For example, if you realized that you were already using 192.168.210.200 and 201 for statically assigned IPs elsewhere you can go ahead and ssh into the server and change the first IP in a scope to 202 using the following (assuming the uuid of the domain is the same as in the previous examples):

serveradmin settings dhcp:subnets:_array_id:B03BAE3C-AB79-4108-9E5E-F0ABAF32179E:net_range_start = "192.168.210.202"

You can also obtain some really helpful information using the fullstatus verb with serveradmin:

serveradmin fullstatus dhcp

This output includes the number of active leases, path to log file (tailing that file is helpful when troubleshooting issues), static mappings (configured using the command line if needed), etc.

dhcp:state = "RUNNING"
dhcp:backendVersion = "10.5"
dhcp:timeOfModification = "2014-10-04 04:24:17 +0000"
dhcp:numDHCPActiveClients = 0
dhcp:timeOfSnapShot = "2014-10-04 04:24:19 +0000"
dhcp:dhcpLeasesArray = _empty_array
dhcp:logPaths:systemLog = "/var/log/system.log"
dhcp:numConfiguredStaticMaps = 1
dhcp:timeServiceStarted = "2014-10-04 04:24:17 +0000"
dhcp:setStateVersion = 1
dhcp:numDHCPLeases = 21
dhcp:readWriteSettingsVersion = 1

Once started, configure reservations using  the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:

%%
# hostname hwtype hwaddr ipaddr bootfile
a.krypted.lan 1 00:00:00:aa:bb:cc 192.168.210.230
b.krypted.lan 1 00:00:00:aa:bb:cc 192.168.210.240

You can start and stop the service either using the serveradmin command:

serveradmin stop dhcp
serveradmin start dhcp

Or using the launchctl:

sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist
sudo ; /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

On the clients, you can then use ifconfig followed by the getpacket verb and then an interface connected to the same network as the DHCP server in order to see the information supplied by the dhcp service, including the system that provided the DHCP lease to the client computers.

Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

OS X Yosemite Server and dnsconfig

DNS is DNS. And named is named. Except in OS X Server. The configuration files for the DNS services in OS X Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/named makes it more portable across Mac DNS Servers.

Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In Yosemite Server, a command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig, introduced back in Mavericks. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones).

To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called krypted.com and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=krypted.com

The output would show you information about the listed zone, usually including View data:

Views:
com.apple.ServerAdmin.DNS.public
Zones:
krypted.com
Options:
allow-transfer: none
allow-update: none

To see a specific record, use the –rr option, followed by = and then the fqdn, so to see mavserver.krypted.com:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=mavserver.krypted.com

By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the krypted.com from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.com --rr=www A 192.168.210.201

You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan

Use the delete verb to remove the data just created:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan

Or to delete that one www record earlier, just swap the add with a delete:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.com --rr=www A 192.168.210.201

Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):

  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g. 10.1.1.1
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)

Overall, this command shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

Mac Network Commands Cheat Sheet

After writing up the presentation for MacSysAdmin in Sweden, I decided to go ahead and throw these into a quick cheat sheet for anyone who’d like to have them all in one place. Good luck out there, and stay salty.

Get an ip address for en0:

ipconfig getifaddr en0

Same thing, but setting and echoing a variable:

ip=`ipconfig getifaddr en0` ; echo $ip

View the subnet mask of en0:

ipconfig getoption en0 subnet_mask

View the dns server for en0:

ipconfig getoption en0 domain_name_server

Get information about how en0 got its dhcp on:

ipconfig getpacket en1

View some network info:

ifconfig en0

Set en0 to have an ip address of 10.10.10.10 and a subnet mask of 255.255.255.0:

ifconfig en0 inet 10.10.10.10 netmask 255.255.255.0

Show a list of locations on the computer:

networksetup -listlocations

Obtain the active location the system is using:

networksetup -getcurrentlocation

Create a network location called Work and populate it with information from the active network connection:

networksetup -createlocation Work populate

Delete a network location called Work:

networksetup -deletelocation Work

Switch the active location to a location called Work:

networksetup -switchlocation Work

Switch the active location to a location called Work, but also show the GUID of that location so we can make scripties with it laters:

scselect Work

List all of the network interfaces on the system:

networksetup -listallnetworkservices

Rename the network service called Ethernet to the word Wired:

networksetup -renamenetworkservice Ethernet Wired

Disable a network interface:

networksetup -setnetworkserviceenabled off

Change the order of your network services:

networksetup -ordernetworkservices “Wi-Fi” “USB Ethernet”

Set the interface called Wi-Fi to obtain it if it isn’t already

networksetup -setdhcp Wi-Fi

Renew dhcp leases:

ipconfig set en1 BOOTP && ipconfig set en1 DHCP
ifconfig en1 down && ifconfig en1 up

Renew a dhcp lease in a script:

echo "add State:/Network/Interface/en0/RefreshConfiguration temporary" | sudo scutil

Configure a manual static ip address:

networksetup -setmanual Wi-Fi 10.0.0.2 255.255.255.0 10.0.0.1

Configure the dns servers for a given network interface:

networksetup -setdnsservers Wi-Fi 10.0.0.2 10.0.0.3

Obtain the dns servers used on the Wi-Fi interface:

networksetup -getdnsservers Wi-Fi

Stop the application layer firewall:

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

Start the application layer firewall:

launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist

Allow an app to communicate outside the system through the application layer firewall:

socketfilterfw -t
“/Applications/FileMaker Pro/FileMaker Pro.app/Contents/MacOS/FileMaker Pro”

See the routing table of a Mac:

netstat -nr

Add a route so that traffic for 10.0.0.0/32 communicates over the 10.0.9.2 network interface:

route -n add 10.0.0.0/32 10.0.9.2

Log bonjour traffic at the packet level:

sudo killall -USR2 mDNSResponder

Stop Bonjour:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist


Start Bojour:

launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Put a delay in your pings:

ping -i 5 192.168.210.1

Ping the hostname 5 times and then stop the ping:

ping -c 5 google.com

Flood ping the host:

ping -f localhost

Set the packet size during your ping:

ping -s 100 google.com

Customize the source IP during your ping:

ping -S 10.10.10.11 google.com

View disk performance:

iostat -d disk0

Get information about the airport connection on your system:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I

Scan the available Wireless networks:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s

Trace the path packets go through:

traceroute google.com

Trace the routes without looking up names:

traceroute -n google.com

Trace a route in debug mode:

traceroute -d google.com

View information on all sockets:

netstat -at

View network information for ipv6:

netstat -lt

View per protocol network statistics:

netstat -s

View the statistics for a specific network protocol:

netstat -p igmp

Show statistics for network interfaces:

netstat -i

View network information as it happens (requires ntop to be installed):

ntop

Scan port 80 of www.google.com

/System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke www.google.com 80 80

Port scan krypted.com stealthily:

nmap -sS -O krypted.com/24

Establish a network connection with www.apple.com:

nc -v www.apple.com 80

Establish a network connection with gateway.push.apple.com over port 2195

/usr/bin/nc -v -w 15 gateway.push.apple.com 2195

Establish a network connection with feedback.push.apple.com only allowing ipv4

/usr/bin/nc -v -4 feedback.push.apple.com 2196

Setup a network listener on port 2196 for testing:

/usr/bin/nc -l 2196

Capture some packets:

tcpdump -nS

Capture all the packets:

tcpdump -nnvvXS

Capture the packets for a given port:

tcpdump -nnvvXs 548

Capture all the packets for a given port going to a given destination of 10.0.0.48:

tcpdump -nnvvXs 548 dst 10.0.0.48

Capture the packets as above but dump to a pcap file:

tcpdump -nnvvXs 548 dst 10.0.0.48 -w /tmp/myfile.pcap

Read tcpdump (cap) files and try to make them human readable:

tcpdump -qns 0 -A -r /var/tmp/capture.pcap

What binaries have what ports and in what states are those ports:

lsof -n -i4TCP

Make an alias for looking at what has a listener open, called ports:

alias ports='lsof -n -i4TCP | grep LISTEN'

Report back the name of the system:

hostname

Flush the dns cache:

dscacheutil -flushcache

Clear your arp cache:

arp -ad

View how the Server app interprets your network settings:

serveradmin settings network

Whitelist the ip address 10.10.10.2:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 10.10.10.2

Finally, the script network_info.sh shows information about a Macs network configuration. Both active and inactive network interfaces are listed, in the order that they are used by the OS and with a lot of details (MAC-address, interface name, router, subnet mask etc.).

Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure sites Ubuntu Unix

Manage Apex Domains In OS X

OS X Server supports running a traditional bind implementation of DNS. You can define a record for most any name, including google.com, www.google.com, www.www.google.com, etc. You can use this to redirect subdomains. In this example, we’ll create an A Record to point www.google.com to 127.0.0.1 without breaking other google.com subdomains. To get started, let’s use the DNS service in the Server app to create test.www.google.com. The reason for this is that OS X will then create a zone file for www.google.com. If we created www.google.com instead, then OS X would automatically create google.com, which would break the other subdomains. To do so, open Server app and click on the DNS Service. Then click on the plus sign to create a new record.

Screen Shot 2014-09-23 at 10.55.58 AM

Now, if you restart dns and ping test.www.google.com you should see the referenced IP. To then change www.google.com, we’d edit the zone file stored at /Library/Server/named/db.www.krypted.com. This file will look like this when you first open it:

www.google.com. 10800 IN SOA www.google.com. admin.www.google.com. (
2014092301 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
1209600 ; expire (2 weeks)
86400 ; minimum (1 day)
)
10800 IN NS test.www.google.com.
test.www.google.com. 10800 IN A 127.0.0.1

We’ll add an a record for a.www.google.com:

a.www.google.com. 10801 IN A 127.0.0.1

Now, to change the apex record, you’d just replace the name you’ve been using with an @:

@ 10801 IN A 127.0.0.1

Good luck!

Mac OS X Mac Security Network Infrastructure

Bringing stroke Back

Stroke got moved, so dug this up and am reprinting with the latest and greatest location.

Network Utility has a port scanner – it’s built in and really easy to use. Sure, stroke isn’t nmap, but it’s not trying to be… Since Network Utility is distributed with every copy of Mac OS X it stands to reason that every copy of Mac OS X has the ability to scan a port without using a GUI tool.  Enter one of the best named tools in Mac OS X, stroke.  Stroke is the command line back-end to the Port Scan tab of Network Utility.  To use stroke, you will need to cd into the Network Utility application bundle and then cd into Contents and then Resources.

Once you are at “/System/Library/CoreServices/Applications/Network Utility.app/Contents/Resources”, you will need to provide stroke with an IP address (or name), followed by the first port to scan and then the last (or the same number twice if your range is only one IP address.  For example, if you want to port scan port 80 on your own system you could use the following:

./stroke 127.0.0.1 80 80

But you shouldn’t just stroke yourself (sorry, couldn’t help it).  You should also stroke others (Clarence Carter be damned!).  So if you want to port scan www.google.com for port 80 the following would achieve such a lofty goal:

./stroke www.google.com 80 80

Because the name www.google.com has to resolve, you’re actually able to check whether a DNS error occurs and whether you can communicate over port 80 to the host in one command.  If you want to make a copy of stroke into a directory and then add it to your environment variable’s PATH you can then use it without needing to change your working directory.

Mac Security Mass Deployment MobileMe Network Infrastructure

Network Port Testing With Netcat

You can do some pretty simple testing of ports and network communications using strategies I’ve outlined in the past with tcpdump, trace route, telnet, curl, stroke and of course ping. However, netcat has a few interesting things you can do with it; namely actually run a port super-quickly to test traffic between subnets, forcing scans of ipv6 traffic, debugging sockets, keeping connections alive, parodying through SOCKS 4 and 5 and just checking for daemons that are listening rather than actually sending data to them.

In this first example, we’re going to just check that Apple’s web server is accessible (adding -v for verbose output):

/usr/bin/nc -v www.apple.com 80

The result would be pretty verbose

found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif en0
src 10.10.20.176 port 50575
dst 23.78.138.214 port 80
rank info not available
TCP aux info available

Connection to www.apple.com port 80 [tcp/http] succeeded!
HTTP/1.0 408 Request Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Date: Tue, 29 Jul 2014 15:41:34 GMT
Content-Type: text/html
Content-Length: 218
Expires: Tue, 29 Jul 2014 15:41:34 GMT

<HTML><HEAD>
<TITLE>Request Timeout</TITLE>
</HEAD><BODY>
<H1>Request Timeout</H1>
The server timed out while waiting for the browser’s request.<P>
Reference&#32;&#35;2&#46;48cf4d17&#46;1406648494&#46;0
</BODY></HTML>

If we added a -w to timeout we’ll cut out all the cruft (but wouldn’t know that the server’s at Akamai). Next, we’ll get a little more specific and fire up a test to check Apple’s push gateway at, using port 2195:

/usr/bin/nc -v -w 15 gateway.push.apple.com 2195

But, I want the cruft for the purposes of this article. Next, we can add a -4 to force connections over IPv4 and check the Apple feedback server and port 2196, also required for APNs functionality:

/usr/bin/nc -v -4 feedback.push.apple.com 2196

Right about now, something is probably happening at Apple where they’re getting sick of me sending all this data their direction, so let’s add a -z option, to just scan for daemons, without actually sending any data their way:

/usr/bin/nc -vz -4 feedback.push.apple.com 2196

Because of how NAT works, you might notice that the src port keeps changing (incrementing actually). Here’s the thing, we’re gonna’ go ahead and force our source port to stay the same as our destination port using the -p option:

/usr/bin/nc -vz -4 -p 2196 feedback.push.apple.com 2196

Now, what if this is failing? Well, let’s spin up a listener. I like to start on my own subnet, then move to another subnet on the same network and ultimately to another network so I’m checking zone-by-zone so-to-speak, for such a failure. So, we can spin up a listener with netcat in a few seconds using the -l option on another host:

/usr/bin/nc -l 2196

Then I can scan myself:

/usr/bin/nc 127.0.0.1 2196

I could also do this as a range if I forgot which port I used per host:

/usr/bin/nc 127.0.0.1 2195-2196

Now, as is often the case, if our connection problem is because data isn’t parodying, we can also use nc to check that using the -x operator followed by an IP and then : and a port. For example:

/usr/bin/nc -vz -4 -w 10 -p 2196 -x 10.0.0.2:8080 feedback.push.apple.com 2195-2196

Fun times with push notifications. Enjoy.

cloud Network Infrastructure

New AWS OmniGraffle Stencil

Before I post the new stencil, let me just show you how it came to be (I needed to do something, which required me to do something else, which in turn caused me to need to create this):

programming

Anyway, here’s the stencil. It’s version .1 so don’t make fun: AWS.gstencil.

To install the stencil, download, extract from the zip and then open. When prompted, click on Move to move it to the Stencils directory.

Screen Shot 2014-06-04 at 10.05.56 PMReopen OmniGraffle and create a new object. Under the list of stencils, select AWS and you’ll see the objects on the right to drag into your doc.

Screen Shot 2014-06-04 at 10.09.04 PM

Good luck writing/documenting/flowcharting!

cloud Mac Security Network Infrastructure

Configure Syslog Options on a Meraki

Meraki has a syslog option. To configure a Meraki to push logs to a syslog server, open your Meraki Dashboard and click on a device. From there, click on “Alerts & administration”.

Screen Shot 2014-04-12 at 8.29.16 PM

At the “Alerts & administration” page scroll down to the Logging section. Click on the “Add a syslog server” link and type the IP address of your syslog servers name or IP. Put the port number into the Port field. Choose what types of events to export. This could be Event Log, Flows or URLs, where:

  • Event Log: The messages from the dashboard under Monitor > Event log.
  • Flows: Inbound and outbound traffic flows generate syslog messages that include the source and destination and port numbers.
  • URL: HTTP GET requests generate syslog entries.

Note that you can direct each type of traffic to a different syslog server.

Active Directory Mac OS X Mac OS X Server Microsoft Exchange Server Network Infrastructure Ubuntu Unix VMware Windows Server

Stashbox: Turning a Mac Mini Into A Logstash and Kibana Server

You have a lot of boxes. You would like to be able to parse through the logs of all those boxes at the same time, searching for a given timestamp across a set of machines for a specific string (like a filename or a port number). elasticsearch, logstash and kibana are one way to answer that kind of need. This will involve downloading three separate packages (which for this article, we’ll do in /usr/local) and creating a config file.

First, install the latest Java JDK. This is available at jdk8-downloads-2133151.html.

The following is going to download the latest version of logstash and untar the package into /usr/local/logstash (I like nesting that logstash-1.4.0 inside logstash so when the next version comes out I can have it there too, I have plenty of space so keeping a couple versions back helps in the event I need some old binary and can’t get to it ’cause they revved out the version I wrote a script against at some point):

curl -O https://download.elasticsearch.org/logstash/logstash/logstash-1.4.0.tar.gz
mkdir /usr/local/logstash
tar zxvf logstash-1.4.0.tar.gz -C /usr/local/logstash

Once we have log stash, we’ll grab elastic search similarly:

curl -O https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.0.1.tar.gz
mkdir /usr/local/elasticsearch
tar zxvf elasticsearch-1.0.1.tar.gz -C /usr/local/elasticsearch

Then we’ll untar kibana in the same manner:

curl -O https://download.elasticsearch.org/kibana/kibana/kibana-3.0.0.tar.gz
mkdir /usr/local/kibana
tar zxvf kibana-3.0.0.tar.gz -C /usr/local/kibana

Next we’ll make a very simple config file that we call /usr/local/stashbox.conf that listens on port 514 for syslog:

input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}

Next, we’ll enable elastic search:

/usr/local/elasticsearch/elasticsearch-1.0.1/bin/elasticsearch

And finally, in a different window we’ll call logstash with that file as the config file:

/usr/local/logstash/logstash-1.4.0/bin/logstash -f /usr/local/stashbox.conf

Having each of these open in different Terminal windows allows you to see logs in stdout. Next, point a host at your new syslog box. You can use http://krypted.com/windows-server/use-syslog-on-windows for installing Windows clients or http://krypted.com/mac-security/redirect-logs-to-a-syslog-server-in-os-x/ for  a Mac. Once done, let’s get Kibana working. To do so, first edit the config.js.

vi /usr/local/kibana/kibana-3.0.0/config.js

Locate the elastic search setting and put the name of the host running logstash in there (yes, it can be the same as the actual logstash box as long as you install a web server on the logstash box). Then save the changes.

Now move the contents of that kibana-3.0.0 folder into your web directory. Let’s say this is a basic OS X Server, that would be:

cp -R /usr/local/kibana/kibana-3.0.0/* /Library/Server/Web/Data/Sites/Default/

You can then check out your Kibana site at http://localhost or http://localhost/index.html#/dashboard/file/logstash.json for the actual search pages, which is what I’ve bookmarked.

Screen Shot 2014-04-10 at 10.37.51 PM

For example, to see the impact of periodic scripts in System Logs:

Screen Shot 2014-04-12 at 9.07.44 AM