[loganalysis] Re: Central syslog server best practices?

From: Gary (hotmail) (heitmangaat_private)
Date: Mon Aug 13 2001 - 05:13:19 PDT

Next message: Vidovic,Zvonimir,VEVEY,GL-IS/CIS: "[loganalysis] RE: strings associated with code red and variants (fwd)"

Previous message: Robert Collins: "[loganalysis] Re: Central syslog server best practices?"
In reply to: Marlys A Nelson: "Central syslog server best practices?"
Next in thread: Andreas Östling: "Re: [loganalysis] Re: Central syslog server best practices?"
Reply: Andreas Östling: "Re: [loganalysis] Re: Central syslog server best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Marlys.

I also have nearly the exact same box running as "quarterback", syslog-ing
for the company's network... I can't say that we have the issue of losing
packets due to heavy traffic; I have the problem that some of the machines
(Sun hosts) are rebuilt without my knowledge. (They are used exclusively for
printing, and the on-site technical support for the printers seems to
believe that when something doesn't work, reloading the software and
ignoring my list of "specific site configuration rules" is the answer ...)
On occasion, it has gone "unnoticed" for a week, before ...

In any case, while we have a centralized log server, I maintain some of the
logs on the local machines, as well, in the event important logs happen
during a compromise, loss of network, etc. This also helps me to spend some
time on the local machines, if only to peek and rotate the logs ...

I'll be interested to hear what you come up with, attempting to combat this
problem.

Good luck,
gary

----- Original Message -----
From: "Marlys A Nelson" <marlys.a.nelsonat_private>
To: <loganalysisat_private>
Sent: Saturday, August 11, 2001 4:07 AM
Subject: Central syslog server best practices?


> For years, I've used the idea of a central syslog host that all our unix
> machines use so that the logs were consolidated in one location and less
> able to be changed in case of a host compromise. Recently, the log
> traffic from our firewall (linux running ipchains) has been so heavy
> that the syslog server has been losing data.
>
> I've thought about multiple servers, a larger central server (though is
> this just delaying the problem for awhile again?), logging high volume
> servers to local disk (but then how to avoid log compromises if
> hacked?), alternative to syslog (I'm just running standard linux
> syslog), etc...
>
> I'm wondering how others configure their syslogging "enterprise-wide" to
> avoid this problem?
>
> --
> Marlys A. Nelson                      Sr. Network Specialist
> Information Technology Services       Network Services
> University of Wisconsin - River Falls
> 410 South Third Street                Email: Marlys.A.Nelsonat_private
> River Falls  WI  54022                http://www.uwrf.edu/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Vidovic,Zvonimir,VEVEY,GL-IS/CIS: "[loganalysis] RE: strings associated with code red and variants (fwd)"
Previous message: Robert Collins: "[loganalysis] Re: Central syslog server best practices?"
In reply to: Marlys A Nelson: "Central syslog server best practices?"
Next in thread: Andreas Östling: "Re: [loganalysis] Re: Central syslog server best practices?"
Reply: Andreas Östling: "Re: [loganalysis] Re: Central syslog server best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 14:59:56 PDT