Tim Kramer wrote:
>
> For centralized logging, you'll want a larger than normal hard drive
> on a machine that's set up to do nothing other than logging (for
> security reasons, mostly). Linux performs this function adequately.
> There ARE a couple new versions of syslog with better security
> than the standard syslogd, also (I haven't had time to look at them
> yet).
>
If you have a system that you are doing logging on that can be
used as a representitive system for the ones you will be
collecting for, then do the math. I usually figure on 2x
expected capacity needs for 1 year's groth. So if I expect
to add 10 systems over the next year to the 20 I have, I take
my average per system and multiply by (2 * (10 + 20)), or 60
to figure on my log partition needs. I then set a warning
process to page me if it goes over 75% full or the day's groth
is greater than 150% of normal.
That's how I sized my partition I dump syslogd logs to. My
partition for logging the DSL link is another story. It's
striped across a set of disks.
> Mattias Marberg wrote:
> > Does anybody know of a good syslogserver for Linux? If you do, where can
> > I find it? I need to recieve and sort/analyse the syslog from my
> > firewalls/routers.
For my syslogd logs I just use greps for certin strings. The
Debian http://www.debian.org/ distribution of Linux has a couple
of programs for scanning the logs from syslogd, and other sources.
Look under their packages directory. I think they will be under
system or utils. Poke around.
For the DSL data I'm trying out the SHADOW set of TCPDUMP scanners.
Look at: http://www.nswc.navy.mil/ISSEC/CID/ for more details.
I have to modify them a bit as I'm doing full packet dumping
versus the header only dumping they use with tcpdump.
--
| Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
