Re: Need to implemet Syslog server

From: John R. Morris (jrmorris_at_nerdality.com)
Date: 11/13/04

  • Next message: John Kennison: "Re: SQL stored procedures encryption strength" 
    Date: Fri, 12 Nov 2004 19:46:30 -0500
To: Juan B <juanbabi@yahoo.com>

    Juan B wrote:

    >Hi,
    >
    >On my network I need to implement a Syslog server
    >which will need to log from many servers as windows
    >2000 domain controllers, Ids systems maybe cisco
    >routers and 'etc.
    >
    >
    This comes up pretty frequently. Pretty much everything but Windows will
    likely talk to syslog if told to, with no additional software required:
    Linux/Unix servers & workstations (including Mac OS X) can all talk to a
    syslog server.

    Cisco gear can be configured to log to syslog:
    http://www.siliconvalleyccie.com/cisco-hn/syslog-cisco.htm
    Google will turn up more, if you have more specific Cisco gear and the
    above doesn't cover it. It's pretty configurable, you can even tune
    things like loglevel IIRC, although Cisco's idea of useful informational
    events and everyone else's can vary, so read up on it.

    A great many other managed network devices support syslogging, as well.
    YMMV depending on your equipment.

    Your IDS should support it, if not I'd consider whacking anybody who
    made a IDS solution free/commercial that didn't have good log output
    options for events. I pretty much only use Snort so I can't speak as to
    specifics.

    Windows is a bit more problematic, I've found:
    http://www.edoceo.com/creo/winlogd/
    Extremely cool tool to log from Windows Events to Syslog, appears to be
    free, some command line typing (winlogd -i to install it as a service)
    and registry editing for configuration, follow the instructions, save
    your registry config out as a key file so you can drop it in on
    additionally servers assuming you wanted to have them all log to the
    same syslog server.

    >Also, assuming I have many servers ( 15-20 servers to
    >take logs from) what are the Syslog hardware server
    >requirments? more CPU? memory ?
    >which is the best open source software to use? I
    >prefer to work with Red hat.
    >
    >
    >
    Red Hat will work, or Fedora Core, rather, assuming you don't want their
    commercial options.
    logs from 15-20 servers should not be overly taxing in terms of CPU or
    memory, it's not a computationally intense task nor does it tend to take
    much memory. More important is good, responsive, stable network hardware
    (get a good net card that doesn't produce errors and has at least the
    same bandwidth as your other servers, probably 10/100 will suffice.).
    The most important thing for a logserver tends to be disk space;
    depending on how long you want to keep logs around for (longer is
    usually better in my experience), and how safe you want them to be, big
    disks and RAID should be considered. Access to tape or other backup
    options is a plus in this arena, too. An old Sun pizza box (Sparcstation
    5 IIRC) can handle a surprising number of hosts (40-50, and that was not
    a limit, just what we had) syslogging to it, disk space was the only
    thing that was really inadequate, we had to keep moving old logs elsewhere.

    Finally, the biggest consideration for a log server should be keeping it
    secure. Don't run anything but syslog and ssh that opens a port. Limit
    remote access to a few trusted, well secured workstations to act as
    management consoles, limit the users who have an account to the minimum.
    Avoid network filesystems such as NFS if at all possible, keep it off of
    LDAP/NIS global auth unless totally impractical, implement audit trails
    for all sessions on the box and for the filesystem to stay on top of any
    potential log tampering. Keep the box physically secure is good, too.
    Obviously you can go as far as you want to with this. Just keep in mind
    that not only are logs great troubleshooting tools, but they are your
    only source usually for complete records of events when things go
    pear-shaped in any way, and can be the most convincing evidence in that
    sense.

    Implementing a standardized way to tar & gzip old logs and store them
    will reward you manyfold, whether you write your own or grab someone
    else's. Make sure you install things like gzcat for going through those
    tarballs though, it saves a ton of time ;).

    Just my humble sysadmin perspective on the topic.

    - John

    P.S. if anyone needs a Linux/Unix admin in the Greensboro/Winston-Salem
    area, I'm here, I'm affordable, e-mail me. Thanks.

  • Next message: John Kennison: "Re: SQL stored procedures encryption strength"

    Relevant Pages

    • RE: Need to implemet Syslog server
      ... On my network I need to implement a Syslog server ... which will need to log from many servers as windows ... Check out the new Yahoo! ...
      (Security-Basics)
    • [HPADM] SUMMARY: syslog redirection
      ... server is down, entries will be lost. ... Syslog sends over UDP on a "broadcast and forget" concept. ... information that is subject to United States laws and regulations. ... I'm being asked to route syslog messages to a central server. ...
      (HP-UX-Admin)
    • Re: Logs Analysis
      ... To work with the grain on Windows one might use ... through one of my coleague that syslog server helps in logs analysis. ...
      (microsoft.public.win2000.security)
    • Re: How to allow port 514?
      ... a packet filter allows traffic into the server itself. ... If you want to run your syslog on the server you would use a packet filter. ... In ISA Policy Elements, right click Protocol Definitions, ... in Publishing, right click Server ...
      (microsoft.public.windows.server.sbs)
    • RE: Syslog Server on Debian Etch
      ... Syslog was working fine on the clients, I had it installed to a diff ... Is anyone else monitoring Juniper Netscreen firewalls? ... Syslog Server on Debian Etch ...
      (Debian-User)