HPE Community
Operating System - HP-UX
1832235 Members
2563 Online
110041 Solutions
New Discussion

collecting config and logfiles in datacenterenvironment

 
Ralf Seefeldt
Valued Contributor

‎03-06-2011 03:10 AM

‎03-06-2011 03:10 AM

collecting config and logfiles in datacenterenvironment

Hello all,

we runsomme 100 HP-UX servers, mostly blade, mostly 11.31, all ServiceGuard clusters. Virtual hosts will be part of the environment, soon. Our customers have root access - bad idea, but we can not discuss about that.

I want to collect and store centrally all security relevant files from all servers on a central, virtual, HP-UX based server. (syslog, wtmp, ..., all historyfiles from all accounts, all .profile, ..., passwd, group, /etc/shells, netconf, ...

A 2nd stepp would be to automatically get alarmed, when specific alterations in the files can be detected. A 3rd stepp could be including servers with other UNIX flavors and Windows.

I expect, there are prooven concepts, established (freeware) products, ... but so far I was not able to find any concrete descriptions, whitepapers or similar.

Any Ideas or hints are greately welcome.

Best regards

Ralf
0 Kudos
Reply
2 REPLIES 2
Kenan Erdey
Honored Contributor

‎03-06-2011 06:30 AM

‎03-06-2011 06:30 AM

Re: collecting config and logfiles in datacenterenvironment

Hi,

you want to know all what is done in your environment. some of them may not be needed indeed. and some of them will bring more workload to your environment also.

as relevant to syslogs, you can install a central syslog-server. you can install syslog-ng on a server and redirect syslogs from all servers to this server. there are some tools running ong cental log server for querying logs(php-syslog-ng etc.) or you can buy tools like kiwi logserver, or from symantec etc.) as logs about logins are also in syslogs, you may not need collect binary logs like btmp,wtmp etc.

To keep history files in a centralized location may not be a good idea. everybody has root access in your environmet. in this environment keeping and logging security is not easy. imho what you can done is, cetralizing authentication with a tool like centrify, likewise. with this tools you can log user sessions, keydrops even if they are all root.

as relevant to monitoring configuration files for the risk of being deleted, changed, you can use host based ids(hids). again with a centralized hids server you can monitor servers which you installed hids clients. hids supplies you kernel based monitoring, so it will bring a overhead.

if you want all this to be done in one step, you can buy custom tools and consultancy from symantec, quest, etc. they have log correlation tools, they collect logs from c2 level trusted systems. what the hell is done is collected and correlated in one server.



Computers have lots of memory but no imagination
0 Kudos
Reply
Kenan Erdey
Honored Contributor

‎03-06-2011 06:41 AM

‎03-06-2011 06:41 AM

Re: collecting config and logfiles in datacenterenvironment

i missed keeping configuration files centrally.
this is called cmdb. There are opensource and commercial tools for this. you can start reading here. we are using hp's tool.

http://en.wikipedia.org/wiki/Configuration_management_database
Computers have lots of memory but no imagination
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.