Re: [logs] Update/copy logs to logserver (not via syslog)

From: Jeff King (peff-loganalat_private)
Date: Mon Feb 18 2002 - 12:04:21 PST

Next message: Eric Mauricio: "Re: [logs] Update/copy logs to logserver (not via syslog)"

Previous message: Radek Spacil: "[logs] Update/copy logs to logserver (not via syslog)"
In reply to: Radek Spacil: "[logs] Update/copy logs to logserver (not via syslog)"
Next in thread: Eric Mauricio: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 18 Feb 2002, Radek Spacil wrote:

> I was thinking to use scp or rsync tunneled through ssh. But there are
> some problems with syncing logrotate and moving data to the log server:
>
> I will do logrotate every day (on 'client' machines) and update logs
> on the logserver every hour e.g. by rsync. When I will rotate logs on
> 'clients' I have to rotate logs also on log server otherwise rsync
> will rewrite the log on the log server at next update (next hour) by
> new file. Then here arises problem of logrotate syncing (possible
> different times on different machines) - I would like to avoid
> installing a network time protocols for syncing time.

This model is flawed from a security standpoint. If the possibility of
overwriting logs exists, then you haven't really solved very much by
shipping them to a central logserver. You've changed the command for
wiping the logs from:

rm -rf /var/log/*

to

rm -rf /var/log/*
rsync -a --delete /var/log loghost:

Instead, you might consider streaming the log data over the connection,
with a process on the server side appending to a file (which may be
rotated as the central server sees fit). You can use an ssh key
specification to restrict the program run on the server side. Even
something as simple as 'cat >>logs' will work for this purpose (though
having it respond correctly to signals to handle log rotation might be
beneficial).

> Another question is about ssh transfer. How to automate upload (rsync
> or scp) without necessity of typing in passphrase - is ssh key without
> passphrase OK? Then this could work from cron easily. Of course I
> would create special user for this uploads, with limited rights
> (e.g. chroot /var/log on the server, no shell, etc).

You want to use a key without a passphrase; make sure to restrict the
key's filesystem permissions on the client so that only the appropriate
user can read it.

-Jeff

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Eric Mauricio: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Previous message: Radek Spacil: "[logs] Update/copy logs to logserver (not via syslog)"
In reply to: Radek Spacil: "[logs] Update/copy logs to logserver (not via syslog)"
Next in thread: Eric Mauricio: "Re: [logs] Update/copy logs to logserver (not via syslog)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 12:16:13 PST