https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553020#M745926 But, I need to centralize a hundred above server's log. This log server is needed a high security, and the content of the log would be auditable and reportable. Thu, 26 May 2005 23:58:21 GMT Dick CHAU 2005-05-26T23:58:21Z https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553018#M745924 Dear all,<BR /><BR />I want to setup a Centralise Log server.<BR />Any secure software suggestion? Thu, 26 May 2005 23:32:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553018#M745924 Dick CHAU 2005-05-26T23:32:56Z https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553019#M745925 I would suggest a low tech, effecive solution.<BR /><BR />Set up an old hp/ux or Linux box. Enable openssh with public keys exchanged to all servers.<BR /><BR />Make a massive filesystem, called /logs<BR /><BR />Make a subdirectory for each system.<BR /><BR />Have the individual systems scp -p the logfiles you want centralized on a schedule.<BR /><BR />scp -p /var/adm/syslog/syslog.log logserver:/logs/hostname<BR /><BR />SEP Thu, 26 May 2005 23:48:11 GMT https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553019#M745925 Steven E. Protter 2005-05-26T23:48:11Z https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553020#M745926 But, I need to centralize a hundred above server's log. This log server is needed a high security, and the content of the log would be auditable and reportable. Thu, 26 May 2005 23:58:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553020#M745926 Dick CHAU 2005-05-26T23:58:21Z https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553021#M745927 Do you want just syslog data or other<BR />logs as well?<BR /><BR />In addition to Steven's suggestion, another standard approach here is<BR />syslog forwarding. On each client system you'd add a forwarding line to<BR />/etc/syslog.conf (man syslogd for details) and the <BR />syslog message will be written to the local syslog and<BR />additionally sent to your consolidating host. <BR /><BR />This syslog forwarding approach has several undesirable<BR />characteristics:<BR /><BR />- it uses UDP. You are not guaranteed to get<BR /> all log messages. They aren't "lost" in<BR /> the sense that they are still present<BR /> in the originating host's syslog.log but<BR /> they are not guaranteed to be in the remote consolidated log. <BR /><BR />- UDP isn't secure enough for some. If your care about<BR /> security on the wire (packet sniffing) then<BR /> this isn't a good solution. <BR /><BR />One approach that helps remedy the above issues it to <BR />replace syslogd with an open source tool called syslog-ng<BR />(next generation). syslog-ng offers a TCP/IP transport<BR />in addition to UDP. With TCP you can now encrypt <BR />the traffic using tools like ssh tunnel and stunnel. <BR />syslog-ng has better filtering features and log <BR />naming features that help with log rotation, etc. <BR /><BR />Note that even when using the TCP/IP transport, syslog-ng <BR />cannot guarantee there will be no message loss. <BR />It helps however and you can control the buffer <BR />sizes on the client side to try and minimize this issue. <BR /><BR />To secure your centralized log server, look at the bastille<BR />tool. You typically want to lock this system down<BR />very tightly and bastille can help you do that. Mon, 30 May 2005 21:42:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/centralise-log-server-help/m-p/3553021#M745927 PeterWolfe 2005-05-30T21:42:09Z