Firewall Wizards mailing list archives
Re: Logging
From: "James W. Abendschan" <jwa () jammed com>
Date: Wed, 25 Oct 2000 16:36:15 -0700 (PDT)
On Wed, 25 Oct 2000, sim wrote:
I have a Sparc 10 running Redhat 6.2 as a firewall for a small network. Inside the network is a logserver that syslog sends most of the logs to. I am wondering if anyone has any suggestions as to what needs to be logged or a starting point for this kind of information. Here is what it is currently logging
[ .. ] syslog levels are useful on some systems, but I tend to do this on firewalls: *.debug /var/log/syslog *.debug @your.log.host This this will log *everything* to syslog, all in one place (however it won't capture kernel messages in Solaris 2.7; it seems you need an explicit 'kern.debug' to catch those.) Later, I use a simple tool to go through the log, and apply some inverse matching against it (make a list of all the benign log messages generated by your system and then search the syslog for things that aren't in this list.) And when I want to grep for certain events, I need only look in one place. If you want the ability to filter per-process (ie, send everything snort logs to one file, send everything sendmail generates to another, and send anything generated by the kernel to the console), try syslog-ng: http://www.balabit.hu/products/syslog-ng/ .. It lets you do all sorts of cool little things with syslog. James -- "It is, as I said, intolerable that one small group continues to interfere with the governments' right to monitor subversion, disaffection, and treason." -- John Brunner, _The Shockwave Rider_ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Logging sim (Oct 26)
- Re: Logging James W. Abendschan (Oct 27)
- <Possible follow-ups>
- Re: Logging Roger Marquis (Oct 27)