Re: [loganalysis] Re: Central syslog server best practices?

From: Nate Campi (nateat_private)
Date: Mon Aug 13 2001 - 16:50:46 PDT

Next message: Andreas Östling: "Re: [loganalysis] Re: Central syslog server best practices?"

Previous message: Robert Collins: "Re: [loganalysis] Re: Central syslog server best practices?"
In reply to: Greg Broiles: "[loganalysis] Re: Central syslog server best practices?"
Next in thread: daniel uriah clemens: "Re: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Matthew Jonkman: "Re: Central syslog server best practices?"
Reply: daniel uriah clemens: "Re: [loganalysis] Re: Central syslog server best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 13, 2001 at 10:55:30AM -0700, Greg Broiles wrote:
> At 05:36 PM 8/12/2001 -0500, Marlys A Nelson wrote:
> >Andreas Östling wrote:
> > >
> > > On Sat, 11 Aug 2001, Marlys A Nelson wrote:
> > > ...
> > > > Recently, the log traffic from our firewall (linux running ipchains) has
> > > > been so heavy that the syslog server has been losing data.
> > > ...
> > > > I'm wondering how others configure their syslogging "enterprise-wide" to
> > > > avoid this problem?
> > >
> > > I think it sounds a bit weird that the syslog server is losing data just
> > > because of one host sending to much information.
> 
> Have you considered building a (very small) separate private-IP-space 
> network for log traffic, and/or making sure that the source and destination 
> hosts are all on switched ports? It sounds like your limiting factor is 
> network bandwidth, not disk or processor or RAM.
> 
> Have others done this? My interest is partly performance-oriented, partly 
> security-oriented - I'm a little wary of using crypto-based access control 
> approaches to logging, because of the potential than an attacker (or an 
> error) might be able to swamp the related processors with lots of data 
> needing to be encrypted and signed, leading to a logging DOS due to 
> processor load.

We've implemented a three-network topology in our newer datacenter
networks. We have a "front-net" for live internet traffic, a "mid-net" for
server to server traffic (for database access, multi-tiered apps, etc) and
a "back-net" for administrative traffic like syslog traffic and pulling
logs from servers for hit tracking.

I don't think only large shops like ours need such a setup, small shops
can just as easily overload a 100mbit network wire with inter-server traffic,
log pulls, syslog traffic, etc. It's a burden from a network
administration perspective, but all worth it IMHO.

I tend to agree with MJ Ranum, that many of the problems lie with
standard syslog daemons, and the underlying OS. I use syslog-ng with TCP
connections to minimize loss of log traffic, so far so good.
-- 
Nate Campi  (415) 276-8678  UNIX Ops, Terra Lycos - WiReD SF

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Andreas Östling: "Re: [loganalysis] Re: Central syslog server best practices?"
Previous message: Robert Collins: "Re: [loganalysis] Re: Central syslog server best practices?"
In reply to: Greg Broiles: "[loganalysis] Re: Central syslog server best practices?"
Next in thread: daniel uriah clemens: "Re: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Matthew Jonkman: "Re: Central syslog server best practices?"
Reply: daniel uriah clemens: "Re: [loganalysis] Re: Central syslog server best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 14:45:01 PDT