HPE Community
Operating System - HP-UX
1834190 Members
2698 Online
110064 Solutions
New Discussion

Re: Centralise Log Server Help

 
SOLVED
Go to solution
Dick CHAU
Occasional Contributor

‎05-26-2005 04:32 PM

‎05-26-2005 04:32 PM

Centralise Log Server Help

Dear all,

I want to setup a Centralise Log server.
Any secure software suggestion?
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎05-26-2005 04:48 PM

‎05-26-2005 04:48 PM

Solution

Re: Centralise Log Server Help

I would suggest a low tech, effecive solution.

Set up an old hp/ux or Linux box. Enable openssh with public keys exchanged to all servers.

Make a massive filesystem, called /logs

Make a subdirectory for each system.

Have the individual systems scp -p the logfiles you want centralized on a schedule.

scp -p /var/adm/syslog/syslog.log logserver:/logs/hostname

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Dick CHAU
Occasional Contributor

‎05-26-2005 04:58 PM

‎05-26-2005 04:58 PM

Re: Centralise Log Server Help

But, I need to centralize a hundred above server's log. This log server is needed a high security, and the content of the log would be auditable and reportable.
0 Kudos
Reply
PeterWolfe
Respected Contributor

‎05-30-2005 02:42 PM

‎05-30-2005 02:42 PM

Re: Centralise Log Server Help

Do you want just syslog data or other
logs as well?

In addition to Steven's suggestion, another standard approach here is
syslog forwarding. On each client system you'd add a forwarding line to
/etc/syslog.conf (man syslogd for details) and the
syslog message will be written to the local syslog and
additionally sent to your consolidating host.

This syslog forwarding approach has several undesirable
characteristics:

- it uses UDP. You are not guaranteed to get
all log messages. They aren't "lost" in
the sense that they are still present
in the originating host's syslog.log but
they are not guaranteed to be in the remote consolidated log.

- UDP isn't secure enough for some. If your care about
security on the wire (packet sniffing) then
this isn't a good solution.

One approach that helps remedy the above issues it to
replace syslogd with an open source tool called syslog-ng
(next generation). syslog-ng offers a TCP/IP transport
in addition to UDP. With TCP you can now encrypt
the traffic using tools like ssh tunnel and stunnel.
syslog-ng has better filtering features and log
naming features that help with log rotation, etc.

Note that even when using the TCP/IP transport, syslog-ng
cannot guarantee there will be no message loss.
It helps however and you can control the buffer
sizes on the client side to try and minimize this issue.

To secure your centralized log server, look at the bastille
tool. You typically want to lock this system down
very tightly and bastille can help you do that.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.