Re: Simultaneously write syslog to another server?

From: James (james_readerNOSPAM@lineone.net)
Date: 04/19/02


From: "James" <james_readerNOSPAM@lineone.net>
Date: Fri, 19 Apr 2002 11:04:34 +0100


"David Hart" <news-post@mcdh.co.uk> wrote in message
news:02cm9a.m1o.ln@corn.mcdh.co.uk...
> Remy Sharp <remy.sharp@gallio.com> wrote:
>
> > For security purposes I want to be able to write the events logged
> > using syslog to another machine (so that if a potential hacker does
> > clean his/her steps - there is a copy I can go by).
> >
> > Does anyone know if:
> >
> > a) this is possible
> > b) this is worth doing
> > c) if there is a simple way of doing this -OR-
> > d) there is a (preferably free) program to do this
>
> Start syslogd with the '-r' option on the machine you want to log to.
> On the machine you want to log from edit /etc/syslog.conf and add the
> line "*.* @machine.address.to.log.to"
>
> --
> David Hart
> david@mcdh.co.uk
>

Hint i was given is also to re-compile syslogd so that it takes its
configuration from a different file (something un obvious eg.
/home/<user>/mythesis.txt) and set the option to export to a different
server there. Then leave a default syslogd.conf in /etc so the intruder
doesn't realise there's more logs to clear.
Think this tip came from http://project.honeynet.org who've got papers on
setting this sort of thing up, you could try looking there.