Re: Secure remote syslogging?
On Wednesday 23 April 2003 17:48, Stefan Neufeind wrote:
> But what if you can't deploy a separate network just for syslog?
> Encrypt it somehow?
There's at least a couple options:
1) Encrypt the syslog stream.
2) Keep the syslog stream plaintext, but really harden the syslog server as
much as you can.
The disadvantage to this is that an intruder may be able to deduce that he's
being monitored (even if the syslog stream is encrypted), but it's a fair
compromise if the situation doesn't warrant an admin network.
> In separate files for the machines on the central server?
> I guess this would best suit my needs. But again: It needs to be
> secure - even over a "public switch" :-(((
I'm assuming you mean maintaining a separate log per machine that you collect
logs for? I wouldn't bother with that, personally. Grep is a great tool...
If you *really* generate a lot of log information and need to analyze it in
greater detail, then dumping it into a database at the back end could be
warranted. For most sites, though, grep is quite sufficient, especially if
you combine it with swatch -- which can look through your log files for
particular events that you define, and then email/page you when/if they
occur. A simple, but quite usable intrusion detection system of sorts...
All IMHO, of course... Regardless of how you implement it, I always prefer to
see a dedicated log server on a production network. I think that it is time
and money well spent to set one up properly.