Hi Scott Here are my insights into this matter: 1) there quite some network and security devices which have a build-in syslog feature and there is no way of actually moving those them over to -ng. The best yopu can do put preasure on the vendor to add -ng support. So a simple solution would be to build a kind of a syslogd to syslog-ng bridge node This d-ng bridge can do whatever you want it to do: > serve multiple destinations either on -d or -ng > filter-out certain severities (eg debug messages) > rewrite the logformat (however unadvisable) > add timestamps to it (if wanted / needed) etc 2) in widely scattered networks such a bridge can act like a concentrator. There are lots of local connections to the concentrator using either -d or -ng All possible firewall-problems can be solved locally (nice) While the way up into the central server can be a thightly screened and secured (why not add ssl-tunneling or do syslog-tls) tcp connections which can be described by the security enigineers and entered into the firewall/ips. Ans yes this tcp-connection can be beefed up to dimensions like 100Mbps or whatever is needed without ever losing a single message. The suggested term could be area-concentrator Such a construction solves A) protocol-translation (udp to tcp) B) large firewall-rulessets C) concentrates security D) forgo replacing syslogd services if at ever possible My 2 cents Ir. Ernst J. Mellink IT Security Architect -----Original Message----- From: loganalysis-bounces+e.j.mellink=more-secure.nl@private [mailto:loganalysis-bounces+e.j.mellink=more-secure.nl@private] On Behalf Of ScottO Sent: woensdag 24 mei 2006 17:17 To: loganalysis@private Subject: [logs] hosts to central logging servers efficiency: syslog orsyslog-ng Since I got great feedback from this list regarding a centralized logging set of questions before, I figured I would get thoughts from everyone regarding this. Two Options for the host machines sending to Collectors and/or Central Server. One has them keeping regular syslogd and forwarding to a collector using udp. Then the collector would filter out unneccessary stuff, do some processing, etc. before passing onto a central server (with the edges and central using syslog-ng). The second has the hosts getting syslog-ng, then doing some filtering on each host before sending to the collectors over tcp, before the collector possibly does additional filtering, analysis, etc. before forwarding on to the central server (again, with the edges and central using syslog-ng). I guess some things that I have been thinking about are: is possibly slightly less data sent over tcp more or less efficient network bandwidth-wise, than sending all the data over udp? The obvious piece of not having to replace syslog with syslog-ng across thousands of hosts is a huge win, plus the individual hosts not doing any filtering, keeps them using their cycles and resources for their main duties and not analyzing logs. Thoughts?? Thanks again, Scott _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri May 26 2006 - 13:10:27 PDT