> I tend to agree with MJ Ranum, that many of the problems lie with
> standard syslog daemons, and the underlying OS. I use syslog-ng with TCP
> connections to minimize loss of log traffic, so far so good.
What I did was setup all the remote 'sensors' to run syslog-ng,
tunnelling the tcp through openssl back to the server.
That way when a connection was dropped it would show up in my log files
etc.
I then setup the main log host like so :
x = remote ip ..
source remote { tcp(ip("x.x.x.x") port(4900));};
destination ephesians { file("/var/log/network-down-town/ephesians"); };
filter ephesians-ids { host(x.x.x.x); };
log { source(remote); filter(ephesians-ids); destination (ephesians); };
To tunnel stuff through the ssl you will will need to define a
service in your /etc/services.
And then run the logcheck script to look for particular matches etc.
I guess the next thing to do if time permitted would be to have a perl
script parse through the logs putting them into a mysql database for web
browsability for all the managers and such...
Anyhow.
Hope this added to the idea pool.
-Simply,
Daniel Uriah Clemens
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 11:26:34 PDT