I have several clusters that all report to central syslog servers. Securing this central loghost type machine is much like any other server for the most part. If you can spare the hardware, make that host only accessible to admins. Some of the logs will contain auth data that you don't want anyone to see.
Syslog simply sends udp packets for each message on port 514 to the log server, so putting an IPTables rule up to only allow incoming packets to 514/udp from your net range is a good start. If you want to do advanced filtering, piping to other programs, etc., I would recommend you look at syslog-ng. It has a lot of options for however you might want to deal with the massive amounts of data that get generated. For example, I take some of the logs and format them into SQL INSERT statements so they can be pushed into a MySQL server for access from a custom web frontend. The first few links for googling syslog-ng are the download site and other useful info: http://www.google.com/search?hl=en&q=syslog-ng It may look commercial, but it is actually GPL'd. Also, since you're doing this for routers, php-syslog-ng is a quickie frontend for searching/sorting that someone wrote. IIRC, it only understands logs from Cisco (maybe others) devices though, not Linux, due to different priorities/facilities. Though it looks like they've done a serious update since I last looked. http://www.phpwizardry.com/php-syslog-ng.php Tim On 12/9/05, Greg Brown <[EMAIL PROTECTED]> wrote: > I have to set up a syslog server for my Internet routers. -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
