PaulDotCom mailing list archives
Re: Setting up a syslog server
From: Tom Handlon <thandlon () gmail com>
Date: Mon, 7 Jan 2013 11:22:14 -0500
You can install syslog-ng and configure the /etc/syslog-ng.conf file to just accept all syslog traffic. you can easily separate out logs for each host (and more, can get granular) by setting up filters. Essentially syslog-ng.conf is composed of "destination" which is where you want the log files to go, a "filter" that parses the incoming syslog messages and places it in the right log file, and then the "log paths" which is basically "source"(udp); "filter"(host); "destination"(log files) Install it and open the conf file, pretty straightforward and easy. Edit logrotate.conf as well. here are some quick articles and a forum that go over the basics to get it up and running http://sudonetworks.com/wiki/index.php?title=Syslog-ng_for_IP_Networks http://blog.monitis.com/index.php/2011/08/28/getting-started-with-syslog-ng/ http://blog.monitis.com/index.php/2011/08/31/how-to-filter-logs-with-syslog-ng/ http://www.syslog.org/forum/syslog-ng/ On Mon, Jan 7, 2013 at 10:58 AM, Robin Wood <robin () digininja org> wrote:
On 7 January 2013 15:18, Ralph Durkee <rd () rd1 net> wrote:You haven't given much background on why you want a syslog server. But you may want to consider if something like OSSEC.net would be a better and more complete solution. It's multi platform host based IPS with centralized monitoring. Open source as well!Unfortunately I can't give to much away as it is part of a commercial project, at the moment they just want me to evaluate how easy it is to set up and the gain an idea of how much data is generated each day. I'll have a look at OSSEC as well but I think from what I've been told that a simple syslog server with Snare to grab logs from Windows will do what they want. Robin-- Ralph Durkee Xavier Mertens <xavier () rootshell be> wrote:Hi Robin, Consider using Syslog over TCP (+ TLS if you can't trust the network - can we? :-) rsyslog has a nice feature to queue your events when the central rsyslog is not available. Alternatively, you can use Splunk in distributed mode: collect locally and send to a central Splunk server (http://blog.rootshell.be/2012/12/22/howto-distributed-splunk-architecture/) (Splunk may become expensive if >500MB of data processed per day) /x -- Can't sleep, hackers will eat me! PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D006FD51AD7F2C On 07 Jan 2013, at 00:30, Robin Wood <robin () digininja org> wrote! :On 6 January 2013 21:54, Doug Burks <doug.burks () gmail com> wrote:Hi Robin, One option would be to install Security Onion and enable ELSA. You'll automatically get syslog-ng and a nice web interface to hunt through your logs.I might do that as the server side, just need to figure out how to get various machines to send all their stuff to it. RobinThanks, Doug On Sunday, January 6, 2013, Robin Wood wrote:Hi I'm going to be setting up a syslog server for the first time next week, can anyone recommended any good guides? I know there are quite a few out there but want a good, tested, one. Robin-- Doug Burks http://securityonion.blogspot.com ________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: Setting up a syslog server, (continued)
- Re: Setting up a syslog server Brett (Jan 06)
- Re: Setting up a syslog server Robin Wood (Jan 06)
- Re: Setting up a syslog server Carlos Perez (Jan 06)
- Re: Setting up a syslog server Robin Wood (Jan 06)
- Re: Setting up a syslog server Doug Burks (Jan 06)
- Re: Setting up a syslog server Robin Wood (Jan 06)
- Re: Setting up a syslog server Xavier Mertens (Jan 07)
- Re: Setting up a syslog server Ralph Durkee (Jan 07)
- Re: Setting up a syslog server Robin Wood (Jan 07)
- Re: Setting up a syslog server Champ Clark III (Jan 07)
- Re: Setting up a syslog server Tom Handlon (Jan 07)
- Re: Setting up a syslog server Robin Wood (Jan 06)
- Re: Setting up a syslog server Brett (Jan 06)
- Re: Setting up a syslog server Albert R. Campa (Jan 07)
- Re: Setting up a syslog server John Franklin (Jan 07)
- Re: Setting up a syslog server Robin Wood (Jan 07)