[TriLUG] Syslog server

Jon Carnes jonc at nc.rr.com
Fri Nov 9 23:37:05 EST 2001


On Thursday 08 November 2001 09:32, Jeff Bollinger wrote:
> Anyone have a really good (secure) way to set-up a syslog server, before
> I delve into How-tos and whatnot?  Here's the plan:
>
> System A reports its logs to System B.
> System B acts as a desktop workstation (though not installed that way)
> already, and reports its own logs via e-mail.
>
> I want to make sure that I have two separate and distinct logs coming
> from System B: System A's and System B's.
>
> Tips?
>
> Thanks,
> Jeff
>
> --
> Jeff Bollinger
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff_bollinger at unc.edu

I have a script I run called sys_check that runs every 10 minutes on my 
external machines, it checks for multiple things amoung them changes to any 
executables that I normally use, system passwords, groups, services that 
are running, etc.  The reports are sent as email to my main internal server.

The volume it sends is high so I use procmail to store the email on my main 
internal server as a file, and then do a diff against the previous email. 
If there is no difference in the body of the email, I make no changes and 
send on no alerts.  If there is a change, I send on the diff file, so I can 
see what was there and what has changed. 
The current email is saved as the standard, the old one is saved to .bak.

Mainly I see things like folks updating their passwords.  I get one notice 
and then dont' get anymore messages about it, since it's saved as the new 
standard.

What I'm looking for is anyone breaking in and changing anything or trying 
to insert a root kit.  

I should also point out that I also have a script that monitors how old the 
last check file is, if that file is over 30 minutes old, then I also send 
off alarms.

I have other log checks as well, but they are not nearly as sophisticated 
and don't run as often - mainly because I think my systems have fairly 
tight security and I have my system check telling me that all is well...

My main goal is to receive NO MAIL from any system -- unless there is a 
problem.  Otherwise, I'll always be pouring over the emails and checking 
them - which frankly is a waste of my time.

Jon Carnes



More information about the TriLUG mailing list