I use our parallel backup backbone for log transfers. All hosts feed via standard syslog (udp:514) to a syslog-ng collector running on the backup server in each data centre. These then feed via tcp:5140 to the central log server over an s- tunnel (check sourceforge) connection. In order to tunnel via ssh or stunnel, you need to be using TCP as a transport and not UDP.
This keeps the individual hosts as "standard" as possible. I don't want to have to worry about getting a syslog-ng package for each host, not to mention what to do about the cisco or other equipment that only supports regular syslog. So my take is to feed collectors in each data-centre via standard udp syslog. As for the windows hosts, we are using ntsyslog, available via sourceforge. Our Windows admins have packaged it up with a standard config and include it in all server images. I am still wondering what to do for some measure of high availability of the logs. One possibility is to have each syslog-ng collector of each data- centre send to two separate central log servers, one in Montreal, the other in Toronto. Problem here is that SEQ numbers are out of sync between the two databases. Another is to have some MySQL database replication. A disadvantage here is that should the primary go down, new log events will be dropped. I suppose if we really wanted to one step beyond, we could include some sort of data-integrity field that is calculated at event- generation time and provides an MD5 hash of the host, time/date and syslog event data. Then, when logs are viewed, we could then recalculate the hash and compare with the original. If done properly, this would provide a layer of non-repudiation in case the logs are to be used in a legal aspect. Cheers, /Jason On Jul 21, 2006, at 6:16 AM, Marcin Wasilewski wrote: > Hello, > > I have a question about secure central logging. How do You secure Your > configurations , is it ssh tunelling or maybe something else? and > what about > events from Windows hosts ? > My central log server is Debian, syslog-ng and mysql. > Thanks for every info. > > Best regards > Marcin > > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys -- and earn > cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Php-syslog-ng-support mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Php-syslog-ng-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support
