Re: Logging

["James W. Abendschan" <jwa () jammed com>]

On Wed, 25 Oct 2000, sim wrote:
> I have a Sparc 10 running Redhat 6.2 as a firewall for a small network.
> Inside the network is a logserver that syslog sends most of the logs to.  I
> am wondering if anyone has any suggestions as to what needs to be logged or
> a starting point for this kind of information.
> Here is what it is currently logging

[ .. ]

syslog levels are useful on some systems, but I tend to do this on
firewalls:

    *.debug         /var/log/syslog
    *.debug         @your.log.host

This this will log *everything* to syslog, all in one place (however it 
won't capture kernel messages in Solaris 2.7; it seems you need
an explicit 'kern.debug' to catch those.)  Later, I use a simple tool 
to go through the log, and apply some inverse matching against it (make a 
list of all the benign log messages generated by your system and then 
search the syslog for things that aren't in this list.)  And when I 
want to grep for certain events, I need only look in one place.

If you want the ability to filter per-process (ie, send everything
snort logs to one file, send everything sendmail generates to another,
and send anything generated by the kernel to the console), try
syslog-ng: http://www.balabit.hu/products/syslog-ng/ .. It lets 
you do all sorts of cool little things with syslog.

James

--
"It is, as I said, intolerable that one small group continues to interfere
with the governments' right to monitor subversion, disaffection, and treason."
                                      -- John Brunner, _The Shockwave Rider_


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards