In the enterprise I'm in we use a proprietary agent on each box that parses all local logs for entries we deem pertinent, those are then encrypted and reported to a central alert server which is monitored real-time. While this is a proprietary package the concept is simple enough to reproduce with something like logcheck running every minute or so and stunnel. Hope that helps. Matt ----- Original Message ----- From: "Marlys A Nelson" <marlys.a.nelsonat_private> To: <loganalysisat_private> Sent: Saturday, August 11, 2001 4:07 AM Subject: Central syslog server best practices? > For years, I've used the idea of a central syslog host that all our unix > machines use so that the logs were consolidated in one location and less > able to be changed in case of a host compromise. Recently, the log > traffic from our firewall (linux running ipchains) has been so heavy > that the syslog server has been losing data. > > I've thought about multiple servers, a larger central server (though is > this just delaying the problem for awhile again?), logging high volume > servers to local disk (but then how to avoid log compromises if > hacked?), alternative to syslog (I'm just running standard linux > syslog), etc... > > I'm wondering how others configure their syslogging "enterprise-wide" to > avoid this problem? > > -- > Marlys A. Nelson Sr. Network Specialist > Information Technology Services Network Services > University of Wisconsin - River Falls > 410 South Third Street Email: Marlys.A.Nelsonat_private > River Falls WI 54022 http://www.uwrf.edu/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 12:55:13 PDT