Re: Remote Syslogd

From: msconzoat_private
Date: Wed Oct 30 2002 - 08:02:22 PST

Next message: Paul Timmins: "Re: Remote Syslogd"

Previous message: Jason Frey: "Re: Remote Syslogd"
In reply to: cert: "Remote Syslogd"
Next in thread: Paul Timmins: "Re: Remote Syslogd"
Reply: Paul Timmins: "Re: Remote Syslogd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here is my $0.02.

I agree with the comments about "it's better to log too much then too
little."  With that being said, I usually wind up logging everything to a
remote machine and dealing with the placement/management/auditing of logs
in a central place (seems to make my life easier).

If you want to log to a certain directory on the remote host this is done
via the remote machines syslogd.conf file.

A quick note from expierence on the logging a lot costs you litte, the
computer science dept at TAMU does a network security class each year.  A
sandbox is setup, and there are number of black teams (bad guys) vs. a
gold team (good guys providing network services on about 8 boxes).  Last
time I logged a semesters worth of port scanning (via iptables) as well as
other information from syslog to a remote machine.  I mangaged to get
about 400MB of logs in 3 months.  *moral* logging is cheap...do it

you just have to be careful about attacks against the remote logging
machine...but thats why you back it up :)

-mike


> I was wondering what kind of information people used to log on a remote
> syslog server.
>
> I mean, for every Linux machine I have, I use to log those facilities and
> priorities:
>
> authpriv.*      @remote_machine
> kern.info       @remote_machine
> syslog.info    @remote_machine
> *.emerg        @remote_machine
>
> If there is too much information, I use higher priority level then .info for
> kern and syslog facilities.
>
> Is that a good practice or am I logging garbage ?
>
> Another point is if someone know if I can log in a certain directory in a
> remote host. Seens that I can´t. Is that possible ?
>
> Thanks in advance
>
> Ricardo Pires
>
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

-- 


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paul Timmins: "Re: Remote Syslogd"
Previous message: Jason Frey: "Re: Remote Syslogd"
In reply to: cert: "Remote Syslogd"
Next in thread: Paul Timmins: "Re: Remote Syslogd"
Reply: Paul Timmins: "Re: Remote Syslogd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 08:07:00 PST