RE: syslog log collabration

["subscribe" <subscribe () kringstad net>]

In reply to question 2.
------------------------
I do not want to install a firewall locally, as all the computers are 
behind a firewall. So if syslog-ng has this feature, Ill look into it.
Btw, in secure mode: is the traffic than encrypted in some sort ?
I will belive that ordernary syslogd sends logs in clear text?!

In reply to question 3.
-------------------------
Im not looking to purchase some software, I was hopening that opensource
had some good apps. I've tested logdigest and logwatch, but I'm not sure
if these are right. I hoped that this app could send me an summary once
a day, and maybe an PHP frontend and also realtime alerts. 

My network is about 1000 computers, but I'd like to use an application
that
scales from 10 - 100 servers differing from linux to microsoft.


---
Trond

-----Original Message-----
From: Simon Smith [mailto:simon () snosoft com] 
Sent: 4. august 2003 09:45
To: Glenn English; security-basics () securityfocus com
Subject: Re: syslog log collabration

Actually Glenn, He might want more options.

To answer question 1.

If you want to use mysql templates and record system logs to a mysql
database or do something funky like that then you should use syslog-ng.
Syslog-ng is a very powerful replacement for syslogd, however it has had
quite a few security flaws/vulnerabilities in it. It will listen on port
514 UDP which is the standard syslogd listen port.  If you start it with
the -s flag it will run in what I think is called secure mode and will
not listen to incoming external UDP data. (Glen, port 413 is not the
standard syslogd listen port, what were you talking about?  did I miss
something?)

To answer question 2.

If your system is behind a firewall create rules that block port 514 UDP
from any external hosts to your log host. If it is not you probably want
to install or configure some sort of firewall on the local host.  I
think that syslog-ng has some support for what hosts can connect to the
listen port, but I am not certain...

To answer question 3.

Define good?   When you say you need to have a good tool for this what
do 
you mean exactally?  What do you want this to do for you? Are you
looking to purchase something?  How big is your network, how big is your
company?


At 09:43 AM 7/29/2003 -0600, Glenn English wrote:
> On Tue, 2003-07-29 at 03:12, subscribe wrote:
>
> > 1. I'm not sure which syslog daemon to choose: syslogd or syslog-ng.
> >    Any comments?
>
> syslogd. Start it with the -r switch to have it listen on port 413,
UDP.
> > 2. I have to make the syslog deamon secure so that only the hosts I
> > chose can connect.
> >    Is there any whitepapers or recommendations on how to do this?
>
> On Linux, use iptables or ipchains as a packet filter.
>
> > 3. I need to have a good syslog analyzer to do the logs, report on
email
> > or web.
> >    What is the best tool for this?
>
> logwatch does a pretty good job. It's bundled with most Linux distros.
>
> --
> Glenn English
> ghe () slsware com
>
>
> -----------------------------------------------------------------------
----
> -----------------------------------------------------------------------
-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------