Hello, thanks for Your reply. I think that Zebedee will be good, but I have some problems with sending events through the tunnel I made with this.
I ran: zebedee -U -s on the syslog-ng server machine and on my Windows client machine: C:\Program Files\Zebedee>zebedee.exe -U 1234:syslog-machine:22 zebedee(3944/2384): Listening on local port 1234 zebedee(3944/2384): Listening on local port 1234 to test that I can connect by SSH on port 1234 on my localhost to syslog-machine - and it works. then I changed it to tunnel UDP events to syslog C:\Program Files\Zebedee>zebedee.exe -U 514:syslog-machine:514 zebedee(968/2732): Listening on local port 514 zebedee(968/2732): Listening on local port 514 and changed the evtsys service to report events to my localhost: net stop evtsys evtsys -u evtsys -i -h my_local_ip net start evtsys and nothing is send to syslog-machine....and I wonder why... Maybe You have any ideas? Best regards Marcin ----- Original Message ----- From: "Michael Bryant" <[EMAIL PROTECTED]> To: "Jason Taylor" <[EMAIL PROTECTED]> Cc: "Marcin Wasilewski" <[EMAIL PROTECTED]>; <[email protected]> Sent: Sunday, July 23, 2006 3:00 AM Subject: Re: [Php-syslog-ng-support] Secure log transfer to central log server > Gday, > > To add what Jason has said at the place I work we mainly collect event > logs from > windows servers, due to working in a legal environment to us data > integrity is > of the up most important. > > Our setup is as follows: > > Syslog on the windows server been feed to a central syslog-ng server over > a > secure tunnel (using Zebedee). When the data reaches the syslog-ng server > the > data is decrypted and then feed into a mysql database. The server is > protected > by using iptables and we run tripwire on the server every night to make > sure > that data integeraty is kept. > > Check out the following link of an email I sent to the syslog-ng mail list > last > year for more info. > > https://lists.balabit.hu/pipermail/syslog-ng/2005-June/007570.html > > I hope that will help. > > Kind Regards > > Michael > > Quoting Jason Taylor <[EMAIL PROTECTED]>: > >> I use our parallel backup backbone for log transfers. >> All hosts feed via standard syslog (udp:514) to a syslog-ng collector >> running on the backup server in each data centre. >> These then feed via tcp:5140 to the central log server over an s- >> tunnel (check sourceforge) connection. In order to tunnel via ssh or >> stunnel, you need to be using TCP as a transport and not UDP. >> >> This keeps the individual hosts as "standard" as possible. I don't >> want to have to worry about getting a syslog-ng package for each >> host, not to mention what to do about the cisco or other equipment >> that only supports regular syslog. So my take is to feed collectors >> in each data-centre via standard udp syslog. >> >> As for the windows hosts, we are using ntsyslog, available via >> sourceforge. >> >> Our Windows admins have packaged it up with a standard config and >> include it in all server images. >> >> I am still wondering what to do for some measure of high availability >> of the logs. >> One possibility is to have each syslog-ng collector of each data- >> centre send to two separate central log servers, one in Montreal, the >> other in Toronto. Problem here is that SEQ numbers are out of sync >> between the two databases. >> Another is to have some MySQL database replication. A disadvantage >> here is that should the primary go down, new log events will be dropped. >> >> I suppose if we really wanted to one step beyond, we could include >> some sort of data-integrity field that is calculated at event- >> generation time and provides an MD5 hash of the host, time/date and >> syslog event data. Then, when logs are viewed, we could then >> recalculate the hash and compare with the original. If done >> properly, this would provide a layer of non-repudiation in case the >> logs are to be used in a legal aspect. >> >> Cheers, >> >> /Jason >> >> >> On Jul 21, 2006, at 6:16 AM, Marcin Wasilewski wrote: >> >> > Hello, >> > >> > I have a question about secure central logging. How do You secure Your >> > configurations , is it ssh tunelling or maybe something else? and >> > what about >> > events from Windows hosts ? >> > My central log server is Debian, syslog-ng and mysql. >> > Thanks for every info. >> > >> > Best regards >> > Marcin >> > >> > >> > ---------------------------------------------------------------------- >> > --- >> > Take Surveys. Earn Cash. Influence the Future of IT >> > Join SourceForge.net's Techsay panel and you'll get the chance to >> > share your >> > opinions on IT & business topics through brief surveys -- and earn >> > cash >> > http://www.techsay.com/default.php? >> > page=join.php&p=sourceforge&CID=DEVDEV >> > _______________________________________________ >> > Php-syslog-ng-support mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support >> >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share >> your >> opinions on IT & business topics through brief surveys -- and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Php-syslog-ng-support mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support >> > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Php-syslog-ng-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/php-syslog-ng-support
