Re: Need to implemet Syslog server

["John R. Morris" <jrmorris () nerdality com>]

Juan B wrote:

> Hi,
>
> On my network I need to implement a Syslog server
> which will need to log from many servers as windows
> 2000 domain controllers, Ids systems maybe cisco
> routers and 'etc.
>  
This comes up pretty frequently. Pretty much everything but Windows will 
likely talk to syslog if told to, with no additional software required:
Linux/Unix servers & workstations (including Mac OS X) can all talk to a 
syslog server.

Cisco gear can be configured to log to syslog:
http://www.siliconvalleyccie.com/cisco-hn/syslog-cisco.htm
Google will turn up more, if you have more specific Cisco gear and the 
above doesn't cover it. It's pretty configurable, you can even tune 
things like loglevel IIRC, although Cisco's idea of useful informational 
events and everyone else's can vary, so read up on it.

A great many other managed network devices support syslogging, as well. 
YMMV depending on your equipment.

Your IDS should support it, if not I'd consider whacking anybody who 
made a IDS solution free/commercial that didn't have good log output 
options for events. I pretty much only use Snort so I can't speak as to 
specifics.

Windows is a bit more problematic, I've found:
http://www.edoceo.com/creo/winlogd/
Extremely cool tool to log from Windows Events to Syslog, appears to be 
free, some command line typing (winlogd -i to install it as a service) 
and registry editing for configuration, follow the instructions, save 
your registry config out as a key file so you can drop it in on 
additionally servers assuming you wanted to have them all log to the 
same syslog server.

> Also, assuming I have many servers ( 15-20 servers to
> take logs from) what are the Syslog hardware server
> requirments? more CPU? memory ? 
> which is the best open source software to use? I
> prefer to work with Red hat.
>
>  
Red Hat will work, or Fedora Core, rather, assuming you don't want their 
commercial options.
logs from 15-20 servers should not be overly taxing in terms of CPU or 
memory, it's not a computationally intense task nor does it tend to take 
much memory. More important is good, responsive, stable network hardware 
(get a good net card that doesn't produce errors and has at least the 
same bandwidth as your other servers, probably 10/100 will suffice.). 
The most important thing for a logserver tends to be disk space; 
depending on how long you want to keep logs around for (longer is 
usually better in my experience), and how safe you want them to be, big 
disks and RAID should be considered. Access to tape or other backup 
options is a plus in this arena, too. An old Sun pizza box (Sparcstation 
5 IIRC) can handle a surprising number of hosts (40-50, and that was not 
a limit, just what we had) syslogging to it, disk space was the only 
thing that was really inadequate, we had to keep moving old logs elsewhere.

Finally, the biggest consideration for a log server should be keeping it 
secure. Don't run anything but syslog and ssh that opens a port. Limit 
remote access to a few trusted, well secured workstations to act as 
management consoles, limit the users who have an account to the minimum. 
Avoid network filesystems such as NFS if at all possible, keep it off of 
LDAP/NIS global auth unless totally impractical, implement audit trails 
for all sessions on the box and for the filesystem to stay on top of any 
potential log tampering. Keep the box physically secure is good, too. 
Obviously you can go as far as you want to with this. Just keep in mind 
that not only are logs great troubleshooting tools, but they are your 
only source usually for complete records of events when things go 
pear-shaped in any way, and can be the most convincing evidence in that 
sense.

Implementing a standardized way to tar & gzip old logs and store them 
will reward you manyfold, whether you write your own or grab someone 
else's. Make sure you install things like gzcat for going through those 
tarballs though, it saves a ton of time ;).

Just my humble sysadmin perspective on the topic.

- John

P.S. if anyone needs a Linux/Unix admin in the Greensboro/Winston-Salem 
area, I'm here, I'm affordable, e-mail me. Thanks.