SUMMARY: Best practices: Logging syslog msgs to central loghost

From: Ken Rossman (rossman_at_columbia.edu)
Date: 06/29/05

  • Next message: LOEWENTHAL Simon: "SUMMARY: Re: Moving a boot disc from SunFire v120 to SunFire v210 [Our NIS+ RMS has failed]" 
    Date: Wed, 29 Jun 2005 10:41:34 -0400
To: sunmanagers@sunmanagers.org

    Many thanks to:

       Rob Foehl, Chris Ruhnke, Peter Kunst, Michael Grice, Brad Morrison,
       Jamie Walker, Alan Pae, Rob Windsor, Martin Wheatley, Ronny Martin,
       and Mike Demarco

    for all of your excellent input on my syslog server query.

    To summarize in brief, I asked about the impact and "gotchas"
    surrounding
    using a central syslog server, if I should worry about the system and
    network load generated, and how many different types of messages I
    should
    log to the central server.

    Almost unanimously, the response was that syslog messages going to a
    single central server did not present anything close to a heavy system
    or network load, even in a large, multi-system environment.

    The biggest issue in a larger multi-system environment seemed to be
    disk space management, and management of log rotation. There are good
    tools for doing this, and many folks had the syslog messages broken
    down by category and stuffed into databases for later retrieval.
    One syslog management tool that was mentioned was SMT:

       http://www.dangermen.com/smt/

    Other helpful comments and suggestions included were:

    - Use "syslog-ng"! This is a very nice rewrite of the syslog daemon
       facility which has many very useful features imbedded in it.

    - Set up log file rotations! Rotate daily in a "busy" environment.

    - Be sure to log critical messages both at the local host and the remote
       loghost, to ensure the message really gets logged *somewhere*.
    Network
       problems could cause loss of messages.

    - Carefully consider whether you want to remotely log auth messages,
       as sometimes a user may type their password in the place of where
       the user ID should go, and that password would be transmitted in
       plaintext over the wire, in "snoop-ready form".

    - If things are indeed quite busy where you are, set up a separate
       management network to send the syslog messages over.

    Thanks again to all who replied!

    Ken Rossman
    rossman@columbia.edu
    _______________________________________________
    sunmanagers mailing list
    sunmanagers@sunmanagers.org
    http://www.sunmanagers.org/mailman/listinfo/sunmanagers

  • Next message: LOEWENTHAL Simon: "SUMMARY: Re: Moving a boot disc from SunFire v120 to SunFire v210 [Our NIS+ RMS has failed]"

    Relevant Pages

    • Re: Syslog configuration Question
      ... > I need to configure a syslog server say a solaris 5.9 machine ... > which should send periodically syslog messages to one HPUX ... > management application which monitors and maintains the network ...
      (comp.unix.questions)
    • Syslog configuration Question
      ... I need to configure a syslog server say a solaris 5.9 machine ... which should send periodically syslog messages to one HPUX ... management application which monitors and maintains the network ...
      (comp.unix.questions)
    • Re: Syslog Monitoring Question
      ... > I have four PIX firewalls that I manage I also have one FreeBSD IDS (Snort ... I have two Network Monitoring systems One is ... > thinking of using each as a local syslog server as well, ... > an easy GUI for sorting through syslog messages to debug PIX problems. ...
      (Security-Basics)
    • Syslog Monitoring Question
      ... I have four PIX firewalls that I manage I also have one FreeBSD IDS (Snort ... thinking of using each as a local syslog server as well, ... an easy GUI for sorting through syslog messages to debug PIX problems. ...
      (Security-Basics)