Rainer Gerhards wrote:
>Obviously, my central log
>server will be a hardened machine placed in a secure part of my network.
>So I feel bad about placing the database engine on that same machine -
>after all, the DB might be queried by security admins to work with it.
>So I would need to open up a number of ports that I do not really like
>to open....
That's what VPNs are for, really. Why not use a couple of
machines running IPSEC and have them centralize things
that way?
>Ok, next approach: the collector forwards events to the repository via
>syslog protocol.
Syslog protocol is unreliable and, unless you use a version
that has been made decent, will lose messages if the recipient
is down. I don't recommend using syslog unless you can possibly
help it.
> Collector
> - stores incoming events in flat files inside file system --> written
>to CD on a schedule
> - forwards via syslog to the repository machine
How about:
collector
- stores syslog events to log file and rotates them/archives
them on schedule
- applies "stop list" (list of records that are known to be
OK to discard to log file and generates a temporary view
file
repository machine:
- scp (or FTP's over VPN or whatever) copies temporary view
files from collector and deletes them when successful
repository machine
I've left the whole "...and stick it in a database" part out
because that's a HARD problem to tackle right and I think that
will be the bulk of your pain. Hint: before you think about
putting it into a database, ask yourself "what queries will I
want to make?" and see if it's even possible to make a data
model that will allow them...
mjr.
---
Marcus J. Ranum http://www.ranum.com
Computer and Communications Security mjrat_private
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 09:43:14 PST