[logs] Update/copy logs to logserver (not via syslog)

From: Radek Spacil (spacilat_private)
Date: Mon Feb 18 2002 - 10:26:17 PST

Next message: Jeff King: "Re: [logs] Update/copy logs to logserver (not via syslog)"

Previous message: Tina Bird: "[logs] More Solaris snmpdx syslog data"
Next in thread: Jeff King: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Reply: Jeff King: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Reply: Eric Mauricio: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Reply: Sweth Chandramouli: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I have central log server (syslog) and I want to copy (move) there
also logs which are not logged via syslog e.g. apache access logs,
squid access logs... (both apache and squid are able to log _error_
logs via syslog, but access logs are of much bigger volume and it's
probably not good idea to log them via syslog, it's not
supported anyway).

I was thinking to use scp or rsync tunneled through ssh. But there are
some problems with syncing logrotate and moving data to the log server: 

I will do logrotate every day (on 'client' machines) and update logs
on the logserver every hour e.g. by rsync. When I will rotate logs on
'clients' I have to rotate logs also on log server otherwise rsync
will rewrite the log on the log server at next update (next hour) by
new file. Then here arises problem of logrotate syncing (possible
different times on different machines) - I would like to avoid
installing a network time protocols for syncing time.

Logrotating every day and uploading every hour was chosen without any
testing, so maybe it is inappropriate. But I guess update logs
e.g. every day is too slow, giving attacker whole day to clean logs on
broken computer before logs will be sent to the log server.

Do you have any (better) ideas how to do this?

Another question is about ssh transfer. How to automate upload (rsync
or scp) without necessity of typing in passphrase - is ssh key without
passphrase OK? Then this could work from cron easily. Of course I
would create special user for this uploads, with limited rights
(e.g. chroot /var/log on the server, no shell, etc).

Any ideas are welcome. Thanks in advance,

	Radek Spacil

-- 
+----------------------------------------------+
| Radek Spacil, research assistant,            |
| WLan project, Telecommunication laboratory   |
| Lappeenranta University of Technology        |
| email: <radek.spacilat_private>                 |
| www: http://www.lut.fi/~spacil/              |
| icq: 56361517 jabber: radek.spacilat_private |
+----------------------------------------------+

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Jeff King: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Previous message: Tina Bird: "[logs] More Solaris snmpdx syslog data"
Next in thread: Jeff King: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Reply: Jeff King: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Reply: Eric Mauricio: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Reply: Sweth Chandramouli: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 11:38:04 PST