RE: [logs] SYSLOG "forwarding"

• Previous message: Daniel Cid: "[logs] OsAudit v0.1 (log gathering, monitoring and analysis) available."
• Maybe in reply to: Steffen Kluge: "RE: [logs] SYSLOG "forwarding""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

You can also use Osaudit (I released it today). It can
act as a syslog server (receiving on udp port 514) and
have many other nice features (such as an XML-based
rules,etc). If you have an machine 192.168.1.1 and you
start analyzing the log /var/log/messages and you
forward this messages to the osaudit-server (for
example 192.168.1.10), it will log in the following
way:
from 192.168.1.1 (syslog) -> /var/log/messages.

Or if you are forwarding the snort-full logs:

from 192.168.1.1 (snort-full) -> /var/log/snort/alert.

It's very easy to analize the logs this way :)

Thanks,

--
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail.com

> --- "Jeremy W. Chalfant" <jeremy@private>
>escreveu: 
> I would have to agree here, using syslog-ng may
> eliminate much of the
> hassel you are experiencing, not to mention that it
> has additional
> features you may find suprising.  Very good software
> IMHO.
> 
> Jeremy
> 
> On Sat, 2005-01-29 at 10:52 -0800, Tina Bird wrote:
> > > Router sends syslog to server1, server1 sees the
> message, 
> > > logs it locally and forwards it to server2. 
> That's all well and good.
> > > 
> > > However, the log entry on server1 says that it's
> from 
> > > 'router' - what I want to see; the log entry on
> server2 says 
> > > that it's from 'server1' - not what I want to
> see.
> > 
> > Stock syslog uses UDP as its transport protocol,
> and only retains source and
> > destination hostnames/IP addresses based on its
> UDP headers.  If you want to
> > retain the (quite valuable) information about the
> original source, not the
> > last source, the easiest thing to do is run
> syslog-ng with the chain
> > hostname variable set to yes.  I'm sure there are
> equiv features in other
> > syslog replacements, but syslog-ng is what I'm
> familiar with.
> > 
> > http://www.balabit.com/products/syslog_ng/
> > 
> > cheers - tbird
> > 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
>  

__________________________________________________
Converse com seus amigos em tempo real com o Yahoo! Messenger 
http://br.download.yahoo.com/messenger/ 
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Daniel Cid: "[logs] OsAudit v0.1 (log gathering, monitoring and analysis) available."
• Maybe in reply to: Steffen Kluge: "RE: [logs] SYSLOG "forwarding""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Feb 17 2005 - 23:02:00 PST