Gday, To add what Jason has said at the place I work we mainly collect event logs from windows servers, due to working in a legal environment to us data integrity is of the up most important.
Our setup is as follows: Syslog on the windows server been feed to a central syslog-ng server over a secure tunnel (using Zebedee). When the data reaches the syslog-ng server the data is decrypted and then feed into a mysql database. The server is protected by using iptables and we run tripwire on the server every night to make sure that data integeraty is kept. Check out the following link of an email I sent to the syslog-ng mail list last year for more info. https://lists.balabit.hu/pipermail/syslog-ng/2005-June/007570.html I hope that will help. Kind Regards Michael Quoting Jason Taylor <[EMAIL PROTECTED]>: > I use our parallel backup backbone for log transfers. > All hosts feed via standard syslog (udp:514) to a syslog-ng collector > running on the backup server in each data centre. > These then feed via tcp:5140 to the central log server over an s- > tunnel (check sourceforge) connection. In order to tunnel via ssh or > stunnel, you need to be using TCP as a transport and not UDP. > > This keeps the individual hosts as "standard" as possible. I don't > want to have to worry about getting a syslog-ng package for each > host, not to mention what to do about the cisco or other equipment > that only supports regular syslog. So my take is to feed collectors > in each data-centre via standard udp syslog. > > As for the windows hosts, we are using ntsyslog, available via > sourceforge. > > Our Windows admins have packaged it up with a standard config and > include it in all server images. > > I am still wondering what to do for some measure of high availability > of the logs. > One possibility is to have each syslog-ng collector of each data- > centre send to two separate central log servers, one in Montreal, the > other in Toronto. Problem here is that SEQ numbers are out of sync > between the two databases. > Another is to have some MySQL database replication. A disadvantage > here is that should the primary go down, new log events will be dropped. > > I suppose if we really wanted to one step beyond, we could include > some sort of data-integrity field that is calculated at event- > generation time and provides an MD5 hash of the host, time/date and > syslog event data. Then, when logs are viewed, we could then > recalculate the hash and compare with the original. If done > properly, this would provide a layer of non-repudiation in case the > logs are to be used in a legal aspect. > > Cheers, > > /Jason > > > On Jul 21, 2006, at 6:16 AM, Marcin Wasilewski wrote: > > > Hello, > > > > I have a question about secure central logging. How do You secure Your > > configurations , is it ssh tunelling or maybe something else? and > > what about > > events from Windows hosts ? > > My central log server is Debian, syslog-ng and mysql. > > Thanks for every info. > > > > Best regards > > Marcin > > > > > > ---------------------------------------------------------------------- > > --- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to > > share your > > opinions on IT & business topics through brief surveys -- and earn > > cash > > http://www.techsay.com/default.php? > > page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > Php-syslog-ng-support mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Php-syslog-ng-support mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Php-syslog-ng-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support
