Re: Remote Syslogd

From: Jason Frey (jmfreyat_private)
Date: Wed Oct 30 2002 - 07:13:44 PST

Next message: msconzoat_private: "Re: Remote Syslogd"

Previous message: Tom Perrine: "Re: Remote Syslogd"
In reply to: cert: "Remote Syslogd"
Next in thread: msconzoat_private: "Re: Remote Syslogd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Syslog alone can do what you are asking, though syslog-ng will provide more 
flexibility.

In your syslog.conf file of your remote_machine, you need to specify the 
appropriate actions to be taken.

In your example below, you are telling the linux machines where to send 
syslog messages based on the
"facility.priority".  In your case, to remote_machine.  When remote_machine 
receives these messages
it will perform an action based on what its own syslog.conf file tells it.

For example, on remote_machine you might have (from the linux man page for 
syslog.conf):
# Kernel messages are first, stored in the kernel

# file, critical messages and higher ones also go

# to another host and to the console

#

kern.*                       /var/adm/kernel

kern.crit                    @finlandia

kern.crit                    /dev/console

kern.info;kern.!err          /var/adm/kernel-info

The actions (right side) define what to do for the facility.priority.  You 
can assign different directory and
file names if you want.  This should really only be necessary, however, if 
you are using an application that
performs syslog logging and you want those separate (i.e. snort).

At 02:57 PM 10/28/2002 -0800, cert wrote:
>I was wondering what kind of information people used to log on a remote
>syslog server.
>
>I mean, for every Linux machine I have, I use to log those facilities and
>priorities:
>
>authpriv.*      @remote_machine
>kern.info       @remote_machine
>syslog.info    @remote_machine
>*.emerg        @remote_machine
>
>If there is too much information, I use higher priority level then .info for
>kern and syslog facilities.
>
>Is that a good practice or am I logging garbage ?
>
>Another point is if someone know if I can log in a certain directory in a
>remote host. Seens that I can´t. Is that possible ?
>
>Thanks in advance
>
>Ricardo Pires
>
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: msconzoat_private: "Re: Remote Syslogd"
Previous message: Tom Perrine: "Re: Remote Syslogd"
In reply to: cert: "Remote Syslogd"
Next in thread: msconzoat_private: "Re: Remote Syslogd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 07:16:45 PST