Security Basics mailing list archives
RE: syslog log collabration
From: "subscribe" <subscribe () kringstad net>
Date: Mon, 4 Aug 2003 19:41:47 +0200
In reply to question 2. ------------------------ I do not want to install a firewall locally, as all the computers are behind a firewall. So if syslog-ng has this feature, Ill look into it. Btw, in secure mode: is the traffic than encrypted in some sort ? I will belive that ordernary syslogd sends logs in clear text?! In reply to question 3. ------------------------- Im not looking to purchase some software, I was hopening that opensource had some good apps. I've tested logdigest and logwatch, but I'm not sure if these are right. I hoped that this app could send me an summary once a day, and maybe an PHP frontend and also realtime alerts. My network is about 1000 computers, but I'd like to use an application that scales from 10 - 100 servers differing from linux to microsoft. --- Trond -----Original Message----- From: Simon Smith [mailto:simon () snosoft com] Sent: 4. august 2003 09:45 To: Glenn English; security-basics () securityfocus com Subject: Re: syslog log collabration Actually Glenn, He might want more options. To answer question 1. If you want to use mysql templates and record system logs to a mysql database or do something funky like that then you should use syslog-ng. Syslog-ng is a very powerful replacement for syslogd, however it has had quite a few security flaws/vulnerabilities in it. It will listen on port 514 UDP which is the standard syslogd listen port. If you start it with the -s flag it will run in what I think is called secure mode and will not listen to incoming external UDP data. (Glen, port 413 is not the standard syslogd listen port, what were you talking about? did I miss something?) To answer question 2. If your system is behind a firewall create rules that block port 514 UDP from any external hosts to your log host. If it is not you probably want to install or configure some sort of firewall on the local host. I think that syslog-ng has some support for what hosts can connect to the listen port, but I am not certain... To answer question 3. Define good? When you say you need to have a good tool for this what do you mean exactally? What do you want this to do for you? Are you looking to purchase something? How big is your network, how big is your company? At 09:43 AM 7/29/2003 -0600, Glenn English wrote:
On Tue, 2003-07-29 at 03:12, subscribe wrote:1. I'm not sure which syslog daemon to choose: syslogd or syslog-ng. Any comments?syslogd. Start it with the -r switch to have it listen on port 413,
UDP.
2. I have to make the syslog deamon secure so that only the hosts I chose can connect. Is there any whitepapers or recommendations on how to do this?On Linux, use iptables or ipchains as a packet filter.3. I need to have a good syslog analyzer to do the logs, report on
or web. What is the best tool for this?logwatch does a pretty good job. It's bundled with most Linux distros. -- Glenn English ghe () slsware com -----------------------------------------------------------------------
----
-----------------------------------------------------------------------
----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: syslog log collabration Simon Smith (Aug 04)
- <Possible follow-ups>
- RE: syslog log collabration subscribe (Aug 04)