Re: Secure remote syslogging?

["Kenneth R. van Wyk" <ken@vanwyk.org>]

On Wednesday 23 April 2003 17:48, Stefan Neufeind wrote:
> But what if you can't deploy a separate network just for syslog?
> Encrypt it somehow?

There's at least a couple options:

1) Encrypt the syslog stream.
2) Keep the syslog stream plaintext, but really harden the syslog server as 
much as you can.

The disadvantage to this is that an intruder may be able to deduce that he's 
being monitored (even if the syslog stream is encrypted), but it's a fair 
compromise if  the situation doesn't warrant an admin network.

> In separate files for the machines on the central server?
> I guess this would best suit my needs. But again: It needs to be
> secure - even over a "public switch" :-(((

I'm assuming you mean maintaining a separate log per machine that you collect 
logs for?  I wouldn't bother with that, personally.  Grep is a great tool...  
If you *really* generate a lot of log information and need to analyze it in 
greater detail, then dumping it into a database at the back end could be 
warranted.  For most sites, though, grep is quite sufficient, especially if 
you combine it with swatch -- which can look through your log files for 
particular events that you define, and then email/page you when/if they 
occur.  A simple, but quite usable intrusion detection system of sorts...

All IMHO, of course...  Regardless of how you implement it, I always prefer to 
see a dedicated log server on a production network.  I think that it is time 
and money well spent to set one up properly.

Cheers,

Ken