Re: network management

[Valdis.Kletnieks () vt edu]

On Tue, 19 Feb 2008 18:26:06 +0200, shadow floating said:
> Hi all,
> is it appropriate from security point of view to have one server in
> which syslog is installed to collect logs from all network devices

In general, yes.  That way, even if a box is compromised and the attacker
manages to wipe the local copy of the logs, you still have another copy
elsewhere.

It's even *more* useful for the  more common case - a machine is starting to
go unstable, logging on the fly to both local disk and a remote machine. It
finally belly-ups, and the last bit of logs on the local end aren't flushed
to disk.   However, you still have a captured copy on the syslog server
where you can figure out why the machine died.

> network devices?, if yes, does any one recommed certain specs for this
> machine or it can be an ordinary machine with 1 GB of memory and 512
> GB hard disk and 3.2 GHz processor.

This is entirely dependent on local configuration issues - how many devices you
have, what level of logging you do (just critical messages, or everything from
debug on up), and what (if any) log retention requirements you have. If you
have 30 systems, only log critical messages that pop out once every hour or so,
and only keep 30 days worth, an old Pentium-II with a 300 meg hard drive will
be enough.  If your network infrastructure includes 1,100 switches, 1,300
wireless access points, several hundred servers, and you have legal
requirements to keep stuff for 3 years, you'll want something a bit beefier. I
*can* say that a box with 4 2.8gz Xeons and 2G of RAM running syslog-ng can
handle 800 msgs/sec without even breaking a sweat, and stress tests indicate
that 4K/sec is easily doable.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/