Hi Sweth, Have you taken a look at modular syslog (a syslog replacement) from Core Security Technologies (bsd license -- http://www.corest.com/products/corewisdom/CW01.php#nada)? We're just starting testing to move our central syslog system to this, so I can't vouch for it, but it appears to do what you are looking for... In addition to being able to use a tcp stream (perhaps SSL/SSH encapsulated) for data transfer, it can keep a buffer for dropped connections: <from README> TCP Output Module ----------------- Send messages t an TCP socket. Use it simply as this on command line -i tcp -h <host> -p <port number> -s <bytes>. You may specify an optional buffer to save lines on dropped connections with -s. </from README> ... Or barring the TCP output module being able to do exactly what you want, the distribution comes with templates and an API for building your own modules. The product can also keep a running crypto-checksum on the output files (a-la-Tripwire), so you can check for tampering in the case of a compromise. There appears to be a Windows version, if that is important to you. The site also talks about their auditing tools and coming tools that look to be geared towards IDS analysis of syslog data... Let me know if this works, or if you find something else better! Take care, --Jason --- Jason Piterak System Architect CIS Technical Services 33 Main St., Suite 302 Nashua, NH 03064 (603) 889-4684 - FAX (603) 889-0534 > -----Original Message----- > From: Sweth Chandramouli [mailto:loganalysisat_private] > Sent: Friday, March 29, 2002 2:03 AM > To: Log Analysis > Subject: [logs] Queuing of remote logging > > > Has anyone (commercial or otherwise) addressed the issue > of how to have a host log to a central logging server when the host in > question can't always see the loghost? In particular, I'm thinking of > laptop situations, although I can see other times when this > would be an > issue. Take, for example, an office with an internal RFC > 1918-numbered > network; employees who are in the office should have their laptops > logging to the central server, but if they, say, take the laptop home, > the laptop shouldn't attempt to log to that 10.x.x.x loghost > across the > internet if the employee dials in to their personal ISP, nor should it > throw away log messages by attempting to log them across the network > when the laptop isn't plugged in to any network at all. > I can see a lot of ways to set things like this up, and > was about to start hacking together a prototype in Perl, but I figured > I ought to see if anyone else has started any work in this > area before I > go reinvent the wheel. > > -- Sweth. > > -- > Sweth Chandramouli Idiopathic Systems Consulting > svcat_private http://www.idiopathic.net/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Mar 29 2002 - 08:11:04 PST