Re: Need to implemet Syslog server
From: John R. Morris (jrmorris_at_nerdality.com)
Date: Fri, 12 Nov 2004 19:46:30 -0500 To: Juan B <email@example.com>
Juan B wrote:
>On my network I need to implement a Syslog server
>which will need to log from many servers as windows
>2000 domain controllers, Ids systems maybe cisco
>routers and 'etc.
This comes up pretty frequently. Pretty much everything but Windows will
likely talk to syslog if told to, with no additional software required:
Linux/Unix servers & workstations (including Mac OS X) can all talk to a
Cisco gear can be configured to log to syslog:
Google will turn up more, if you have more specific Cisco gear and the
above doesn't cover it. It's pretty configurable, you can even tune
things like loglevel IIRC, although Cisco's idea of useful informational
events and everyone else's can vary, so read up on it.
A great many other managed network devices support syslogging, as well.
YMMV depending on your equipment.
Your IDS should support it, if not I'd consider whacking anybody who
made a IDS solution free/commercial that didn't have good log output
options for events. I pretty much only use Snort so I can't speak as to
Windows is a bit more problematic, I've found:
Extremely cool tool to log from Windows Events to Syslog, appears to be
free, some command line typing (winlogd -i to install it as a service)
and registry editing for configuration, follow the instructions, save
your registry config out as a key file so you can drop it in on
additionally servers assuming you wanted to have them all log to the
same syslog server.
>Also, assuming I have many servers ( 15-20 servers to
>take logs from) what are the Syslog hardware server
>requirments? more CPU? memory ?
>which is the best open source software to use? I
>prefer to work with Red hat.
Red Hat will work, or Fedora Core, rather, assuming you don't want their
logs from 15-20 servers should not be overly taxing in terms of CPU or
memory, it's not a computationally intense task nor does it tend to take
much memory. More important is good, responsive, stable network hardware
(get a good net card that doesn't produce errors and has at least the
same bandwidth as your other servers, probably 10/100 will suffice.).
The most important thing for a logserver tends to be disk space;
depending on how long you want to keep logs around for (longer is
usually better in my experience), and how safe you want them to be, big
disks and RAID should be considered. Access to tape or other backup
options is a plus in this arena, too. An old Sun pizza box (Sparcstation
5 IIRC) can handle a surprising number of hosts (40-50, and that was not
a limit, just what we had) syslogging to it, disk space was the only
thing that was really inadequate, we had to keep moving old logs elsewhere.
Finally, the biggest consideration for a log server should be keeping it
secure. Don't run anything but syslog and ssh that opens a port. Limit
remote access to a few trusted, well secured workstations to act as
management consoles, limit the users who have an account to the minimum.
Avoid network filesystems such as NFS if at all possible, keep it off of
LDAP/NIS global auth unless totally impractical, implement audit trails
for all sessions on the box and for the filesystem to stay on top of any
potential log tampering. Keep the box physically secure is good, too.
Obviously you can go as far as you want to with this. Just keep in mind
that not only are logs great troubleshooting tools, but they are your
only source usually for complete records of events when things go
pear-shaped in any way, and can be the most convincing evidence in that
Implementing a standardized way to tar & gzip old logs and store them
will reward you manyfold, whether you write your own or grab someone
else's. Make sure you install things like gzcat for going through those
tarballs though, it saves a ton of time ;).
Just my humble sysadmin perspective on the topic.
P.S. if anyone needs a Linux/Unix admin in the Greensboro/Winston-Salem
area, I'm here, I'm affordable, e-mail me. Thanks.