But you said you don't want to run a loghost, so if you're looking for something that doesn't run yet another exposed tcp service (for security reasons), your best route is something along the lines of scp'ing the files as a non-root user. Make the logs group-readable by an unprivileged user (create a user "logmonkey" if you like), and then setup public-key authentication (so that a password isn't required) for SSH between the hosts. Setup a cronjob for logmonkey that runs at what ever time you choose, and copies yesterday's log to the central host. You can make one computer have public-key privs (as logmonkey) to the other 3 (what I would suggest) and "pull" the logs in. The other option is to have the 3 other machines all have public-key access to the one machine, and "push" the logs to the one host. You'd then have 3 cron jobs to maintain, and 3x as many machines with access to other machines (crappy by comparison).
To get public-key auth setup, check out the man page for ssh and ssh-keygen (the file you need to create is likely ~/.ssh/authorized_keys2).
scp (highly preferred to rcp because of the afforded security) has a handy manual page, but generally if you know how to use rcp it's precisely the same:
scp /path/to/local/file remotehost:/path/to/remotefile
All in all, if you can tolerate the extra port being open, syslog is really great for this setup. But security is always a consideration, and if appropriate firewalling is not readily available, scp is your next best choice (IMHO). As another security-conscious consideration, with the scp setup described, if the machine is compromised the attacker may be able to either a) turn off your logging before the logs are pushed to the other machine or b) connect via the same channel to the remote machine and delete the logs and c) if the attacker notices the ssh auth, it also gives him user-level access to the remote machine, which may be enough to compromise the 2nd machine as well. Syslog has none of these deficiencies. :)
Enjoy! Aaron S. Joyner
Roy Vestal wrote:
I have 4 servers that I'd like to consolidate the logs. I don't want to necessarily run a loghost, but I'd like to be able to rcp them to a directory on one server. Right now, I log in to all 4 and read the daily logs one at a time. I'd like to have them all in one place.
Any suggestions?
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
