Sysadmin

Centralising logs for fun and profit

James Cort 14 Comments

It’s one of those things that usually gets pushed to the back burner because it seems like too much work for too little gain: setting up a central syslog server which all your other systems can report back to.

This is a shame, because there’s lots of benefits to having such a server:

  • You can analyse what’s going on in your network from a single, central location – saving you from having to log into a variety of devices for troubleshooting.
  • Improved security – if you have a security breach, the offender has to break into the logging server as well if they’re to cover their tracks properly. (I wouldn’t recommend re-purposing an existing server for precisely this reason – you want your syslog server to be as secure as possible, which means it needs to be running as few services as possible).
  • You only need to remember one set of tools to manage logs from a range of devices. Most routers will happily send logs back to a remote syslog server; there are also third-party products you can install on Windows.

It’s trivially easy to set this up in any reasonably modern Linux distribution. Once again, I’m going to use Debian for this example.

Out of the box, Debian uses rsyslog and stores the configuration file in /etc/rsyslog.conf. Fortunately, the default configuration only needs minor changes to two lines as shown in this excerpt:

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

Uncomment the lines beginning $ModLoad and $UDPServerRun by removing the # symbols:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Restart rsyslogd (service rsyslog restart) and…. that’s it. Done.

Well, that’s not quite it. A remote syslog server isn’t much good unless you have equipment sending logs to it.  On any other Debian servers you may have, this is just a matter of adding a line to /etc/rsyslog.conf:

*.* @192.168.42.39:514

(substitute your own logging server’s IP address or hostname for 192.168.42.39).

Restart rsyslog on the server that will be sending logs to your remote syslog server. Now when you check your remote syslog server, you should find logs appearing from both itself and anything else that’s configured to send logs to it.

Advanced Tweaks

Once you’ve got this done, there’s all sorts of things you can add. You can separate logfiles according to the host that generated them, you can have new logfiles created every day with an appropriate filename… or you can just stick with the basic configuration which will put everything in the same set of log files and just use grep to separate the interesting information.

Whatever you do, keep a sharp eye on disk space on your logfile server. Logs can grow very large very quickly, and a syslog server with a full disk won’t log anything at all.

Read More

Quickly Add Users to Lync 2010 Environment

Josh Reichardt 16 Comments

Update (10/11):  new script posted

I had the chance to work on this script a little bit more and was able to add a few of the features and checks that I wanted originally such as the ability to check if a user is a member of Active Directory or not, if the user is already of member of the Lync environment and also a very simple logging mechanism to gather information on names that weren’t in AD, users already in Lync, etc. to make life easier if the script has been run but there were misspellings or whatever other anomalies in the CSV file that is read in.

The format for reading in users is exactly the same, so just look at the example CSV file posted at the bottom of the page to get an idea of how users should be entered and look in the file for getting read in properly.

The updated code is posted below.  I will be adding this onto my github account in the future as well so check out github if you aren’t already a member.

##======================================================================================
##Script:  EnableLyncUsers.ps1
##Name:    Josh Reichardt
##Email:   [email protected]
##Date:    10/9/12
##Purpose: Use this script to add users already in AD domain into Lync 2010 environment.
##Notes:   Reads in a CSV file with pre populated AD Display names.  Can be adjusted to
##	   work with alternate AD names (eg SIP address, UPN or AD log on name).
##======================================================================================

#Variables.
$File = "C:\Lync\test.csv"
$Log = New-Item -ItemType File -Path "C:\Lync\userlog.txt" -Force

#Import CSV File
$UserArray = Import-CSV -Path $File

#Check if user file is empty.
if ($UserArray -eq $null)
{
	 write-host "No Users Found in Input File"
	 exit 0
}

#Get total number of users in CSV file and begin proccessing.
$count = $UserArray | Measure-Object | Select-Object -expand count
Write-Host "Found " $count "Users to import."
Write-Host "Processing Users.....`n"
$index = 1

ForEach ($User in $UserArray) {

	Write-Host "Processing User " $index " of " $count
	$Fullname = $User.DisplayName
	$aduser = get-csaduser -Identity $Fullname

	#Check if user is in AD.  Log if they are NOT.
	if ($aduser -eq $null) {
		$notinad = $true
		Write-Host "User " $Fullname " is not in AD.  Double check spelling, etc." -Foregroundcolor Red
		Add-Content -Path $Log -Value "$($Fullname) is not in AD.  Double check spelling, etc."
	}

	else {
		$notinad = $false
	}

	#If user is in AD check if enabled in Lync and log if enabled.
	if ($aduser.Enabled) {
		Write-Host $User.DisplayName "is already enabled in Lync, skipping."  -Foregroundcolor Yellow
		Add-Content -Path $Log -Value "$($Fullname) is already enabled in Lync."
	}		

	#User not enabled.
	else {
		Write-Host "Adding user " $User.DisplayName -Foregroundcolor Green
		Enable-CsUser -Identity $User.DisplayName -Registrarpool "lyncpoolGMRC.gmrcnt.local" -SipAddressType Emailaddress

		#Check if last command failed.  If it does, log it.
		if(!$?) {
			Add-Content -Path $Log -Value "$($Fullname) not enabled.  $(Get-Date)$($error[0])"
			continue
		}

	}

	$index++	

}

Below I have posted the quick and dirty method to bulk import a list of users from a CSV file into your Lync environment using their first and last name using the Lync Management Shell (LMS).  I say quick and dirty because it lacks a way to tell if users are already in the Lync environment as well as not having the ability to cope with users that have misspelled or changed names in the CSV file.  But it works, for the most part in a jam.

I should mention that this can be modified to cope with different user views.  For example,

  • The user’s Active Directory display name (e.g., “John Doe”)
  • The user’s SIP address (e.g., “sip:[email protected]”)
  • The user’s User Principal Name (e.g., “[email protected]”)
  • The user’s domain name and logon name, in the format domain_name\logon_name (e.g., psa\jdoe)

And here is the original code to get the users imported into your Lync environment.  Again, very rough, check the updated version if you want more features.

#Variables
$File = "C:\Lync\lyncusers.csv"

#Import CSV File
$UserArray = Import-CSV -Path $File

if ($UserArray -eq $null)
{
write-host "No Users Found in Input File" -foregroundcolor red -backgroundcolor black
exit 0
}

ForEach ($User in $UserArray) {

#Check if user is in AD
$aduser = Get-CsAdUser -Identity $User.Name | Where-Object {$_.enabled -ne "true"}

#Enable user
if($aduser -ne $()) {
Enable-CsUser -Identity $User.DisplayName -Registrarpool "lyncpoolGMRC.gmrcnt.local" -SipAddressType Emailaddress
}
}

Write-Host "Users added successfully."

The CSV file will look similar to the following (in my case, DisplayName, or First and Last name):

I’ve found this to be helpful any time I need to add more than just a few users at a time into the current environment because the GUI is so cumbersome.

Read More

Helpful Keyboard Shortcuts in Server 2012

Josh Reichardt 236 Comments

I am currently evaluating Server 2012, looking at all the new improvements it has to offer and have been playing with it in a test environment over the past week and am slowly gaining my bearings with regards to navigation and getting around in the new OS.  This newest Microsoft release has definitely been an overhaul and it takes a certain amount of adjustment in getting used to.  I would like to highlight a few useful commands that will tremendously decrease the burden and learning curve when you look at this new OS and adjust to its differences.

I should mention that if you are managing these servers through RDP you will need to change the default keyboard behavior to “On the Remote Computer” on the keyboard resource screen.

Windows key

This is the first and most obvious shortcut I would like to mention.  It is probably the most important though as well and is also much easier in my opinion to access then placing your cursor in the bottom left corner.  This will pull up the new and improved Start menu (though some would disagree).  From here you can browse basic tasks or start typing to pull up the built in Search menu, which is actually pretty slick.  The search feature along with the new Server Manager will quickly become your best friend in Server 2012.

Windows key + c

Opens the new Windows “Charm” bar, for those of you that are still new to 2012 like I am, this is the sidebar in the right if you drag your mouse the top right corner.  It is so much easier to just use the keyboard shortcut here for the same reason that the Win key is for opening the Start menu.  It is just annoying not to use the keyboard shortcut.

Windows key + x

This one is very handy once you get used to using keyboard shortcuts for everything.  It essentially pulls up a list of some of the most common menus in the bottom left corner.  It becomes very useful when you are doing a lot of maintenance on numerous 2012 servers.

Windows key + d

This is another great time saver.  It has been around for awhile but it has become so much more useful in 2012 because of the change in the GUI.  So if you’re like me and put a lot of stuff on the desktop then this is super helpful, especially if you have a bunch of windows open and your desktop is seemingly buried.  To put things back to where they were then just punch in the key combo to restore your work space.

Windows key + q

This will pull open the search bar immediately which will skip the initial Start Menu screen, which isn’t always super useful in the first place.

Even with just these few shortcuts you will vastly improve your user experience in Server 2012, at least I did.  Getting familiar with the newest version of Windows quickly will be an important step for administrators because the latest version offers so many improvements and useful features. It would be a foolish mistake not to invest in learning this GUI just because it is different and isn’t what people are used to.

Resource(s):
http://technet.microsoft.com/en-us/library/hh831491.aspx#BKMK_keys

Read More

Network booting without changing your existing infrastructure

James Cort 16 Comments

There’s lots of instructions out there explaining how to set up PXE booting – but most of them assume you’re happy to mess with a perfectly good DHCP configuration. There’s lots of reasons you might not want to do this, but that doesn’t mean you have to forego the convenience of just hitting a key at boot and booting PCs or servers from the network. In this tutorial, we’ll be looking at setting up network booting from a Linux box without touching your existing DHCP infrastructure. This will work even if you’re using something else entirely for DHCP.

These instructions were originally written for Debian, though they should work equally well with minor tweaks on Ubuntu.

First, you want to install dnsmasq:

apt-get install dnsmasq

(use sudo if you’re not logged in as root!)

Once you’ve done that, you need to configure dnsmasq to act as a Proxy DHCP server. I’ve put this in a separate configuration file in /etc/dnsmasq.d/pxe.conf:

# Put your own DHCP range in here.

dhcp-range=192.168.42.0,proxy
pxe-prompt="Press F8 for menu", 20
pxe-service=x86PC, "Boot from local disk"
pxe-service=x86PC, "Install Linux", pxelinux
enable-tftp

# This can be anywhere you like.

tftp-root=/srv/tftp
tftp-secure

Make sure /srv/tftp exists:

mkdir -p /srv/tftp

That’s the hard work out of the way. All we need now is something that can be served up via tftp, and the nice people behind Debian provide that for us:

cd /srv/tftp
wget ftp://ftp.debian.org/debian/dists/stable/main/installer-i386/current/images/netboot/netboot.tar.gz
tar zxf netboot.tar.gz
rm netboot.tar.gz
chown -R dnsmasq /srv/tftp

Restart dnsmasq, check it’s started up using ps:

service dnsmasq restart
ps -ef | grep dnsmasq

Now you can test. Boot a PC from the network; if it all goes according to plan, you should see something like this:

Press F8 as per the instructions and you’ll be prompted to choose between booting from the local disk or installing Linux. Choose install Linux and you’ll drop into the Debian installer menu:

From here, you can install Debian as per usual.

Read More

An Easy Way to Synchronize your Passwords

Josh Reichardt 1 Comment

I have a lot of passwords.  Like, somewhere in the range of 50 or so for various work stuff, email, home server, websites, etc.  I don’t know about anybody else, but I can’t remember that many passwords let alone keep track of which ones change or expire.  In this post I will be going over a way to keep passwords centralized in one place, secure and available to me whenever I need them (for the most part).  On top of that this is a great way to keep all of your passwords up date easily.  Because I am always creating new accounts or changing existing account passwords this is essentially the best way that I have found to do it over the years.

It is a fairly simple idea in practice so let’s get going.  You will need a few things first.  Download and install Dropbox on any and all of the computers that you will want to view/edit or create username and passwords on.  I like Dropbox because it works cross platform so I can sync my folders on a Linux, Android iOS or Mac OS system like I would on a Windows box, which is pretty handy.  Oh yeah, and its free.

Next we are going to need to go get a program called KeePassX.  This is what actually keeps track of your passwords.  This project was spawned originally from KeePass.  One very nice feature is that the password database files are compatible across programs so if you don’t like KeePassX you can check out KeePass and everything will just work, and vice versa, going from KeePass to KeePassX.  I like this program because like Dropbox it is cross platform, reliable, free (Open Source), has some pretty handy features and is super easy to use.

Ok sweet, now that we have the tools we need it is just a matter of getting up and going.  Not a lot of configuration but there are a few steps.  The first is to make a home for you password file and your encryption key (if you want to use two factor authentication) inside Dropbox. I made a folder called “keepassx” to put my crypto key, “keepassx” and my password file “passwords.kdb” in there.

But we need to create these files with KeePassX before we can put them in our Dropbox folder.  Easy enough, most of these should be pretty much self explanatory so if I miss something let me know.

So this is the screen you get when you open up KeePassX by default.  If you already have your password file created just enter your master password and your key file (encryption key) if you created one to open up your password list.  If this is the first time opening the program choose a master password and decide if you want to use an encryption key.  The encryption key, should you choose to make one, will be one of the files that goes into your Dropbox folder to be synchronized.

NOTE: The password pictured above is your master password and should be chosen carefully.  It should be unique, have as many unique characters and as much entropy as possible if you want your password file to be as secure as possible.

Once you have created your password/encryption, the rest is easy.  Take a spin, create some password entries, build a few groups whatever you want just so we can get some data into the password database.  Then just save your file and choose the path to  Dropbox that you chose.

Now from whatever other device you would like to access this from just open KeePassX, enter your password and browse to the location you set for your password file.

Read More