Security Basics mailing list archives
Re: Need to implemet Syslog server
From: "John R. Morris" <jrmorris () nerdality com>
Date: Fri, 12 Nov 2004 19:46:30 -0500
Juan B wrote:
This comes up pretty frequently. Pretty much everything but Windows will likely talk to syslog if told to, with no additional software required: Linux/Unix servers & workstations (including Mac OS X) can all talk to a syslog server.Hi, On my network I need to implement a Syslog server which will need to log from many servers as windows 2000 domain controllers, Ids systems maybe cisco routers and 'etc.
Cisco gear can be configured to log to syslog: http://www.siliconvalleyccie.com/cisco-hn/syslog-cisco.htmGoogle will turn up more, if you have more specific Cisco gear and the above doesn't cover it. It's pretty configurable, you can even tune things like loglevel IIRC, although Cisco's idea of useful informational events and everyone else's can vary, so read up on it.
A great many other managed network devices support syslogging, as well. YMMV depending on your equipment.
Your IDS should support it, if not I'd consider whacking anybody who made a IDS solution free/commercial that didn't have good log output options for events. I pretty much only use Snort so I can't speak as to specifics.
Windows is a bit more problematic, I've found: http://www.edoceo.com/creo/winlogd/Extremely cool tool to log from Windows Events to Syslog, appears to be free, some command line typing (winlogd -i to install it as a service) and registry editing for configuration, follow the instructions, save your registry config out as a key file so you can drop it in on additionally servers assuming you wanted to have them all log to the same syslog server.
Red Hat will work, or Fedora Core, rather, assuming you don't want their commercial options. logs from 15-20 servers should not be overly taxing in terms of CPU or memory, it's not a computationally intense task nor does it tend to take much memory. More important is good, responsive, stable network hardware (get a good net card that doesn't produce errors and has at least the same bandwidth as your other servers, probably 10/100 will suffice.). The most important thing for a logserver tends to be disk space; depending on how long you want to keep logs around for (longer is usually better in my experience), and how safe you want them to be, big disks and RAID should be considered. Access to tape or other backup options is a plus in this arena, too. An old Sun pizza box (Sparcstation 5 IIRC) can handle a surprising number of hosts (40-50, and that was not a limit, just what we had) syslogging to it, disk space was the only thing that was really inadequate, we had to keep moving old logs elsewhere.Also, assuming I have many servers ( 15-20 servers to take logs from) what are the Syslog hardware serverrequirments? more CPU? memory ? which is the best open source software to use? Iprefer to work with Red hat.
Finally, the biggest consideration for a log server should be keeping it secure. Don't run anything but syslog and ssh that opens a port. Limit remote access to a few trusted, well secured workstations to act as management consoles, limit the users who have an account to the minimum. Avoid network filesystems such as NFS if at all possible, keep it off of LDAP/NIS global auth unless totally impractical, implement audit trails for all sessions on the box and for the filesystem to stay on top of any potential log tampering. Keep the box physically secure is good, too. Obviously you can go as far as you want to with this. Just keep in mind that not only are logs great troubleshooting tools, but they are your only source usually for complete records of events when things go pear-shaped in any way, and can be the most convincing evidence in that sense.
Implementing a standardized way to tar & gzip old logs and store them will reward you manyfold, whether you write your own or grab someone else's. Make sure you install things like gzcat for going through those tarballs though, it saves a ton of time ;).
Just my humble sysadmin perspective on the topic. - JohnP.S. if anyone needs a Linux/Unix admin in the Greensboro/Winston-Salem area, I'm here, I'm affordable, e-mail me. Thanks.
Current thread:
- Need to implemet Syslog server Juan B (Nov 12)
- Re: Need to implemet Syslog server Jon Agland (Nov 15)
- Re: Need to implemet Syslog server John R. Morris (Nov 15)
- <Possible follow-ups>
- RE: Need to implemet Syslog server Danny Puckett (Nov 15)
- RE: Need to implemet Syslog server Andrew Shore (Nov 15)