[TriLUG] *nix admin log tip request

Aaron S. Joyner aaron at joyner.ws
Tue Mar 30 14:16:44 EST 2004 

This is what syslog is all about.  Real-time centralized logging to one 
machine, and still maintaining local copies, if you like.  And it 
doesn't necessarily need to be a separate host. 

But you said you don't want to run a loghost, so if you're looking for 
something that doesn't run yet another exposed tcp service (for security 
reasons), your best route is something along the lines of scp'ing the 
files as a non-root user.  Make the logs group-readable by an 
unprivileged user (create a user "logmonkey" if you like), and then 
setup public-key authentication (so that a password isn't required) for 
SSH between the hosts.  Setup a cronjob for logmonkey that runs at what 
ever time you choose, and copies yesterday's log to the central host.  
You can make one computer have public-key privs (as logmonkey) to the 
other 3 (what I would suggest) and "pull" the logs in.  The other option 
is to have the 3 other machines all have public-key access to the one 
machine, and "push" the logs to the one host.  You'd then have 3 cron 
jobs to maintain, and 3x as many machines with access to other machines 
(crappy by comparison).

To get public-key auth setup, check out the man page for ssh and 
ssh-keygen (the file you need to create is likely ~/.ssh/authorized_keys2).
scp (highly preferred to rcp because of the afforded security) has a 
handy manual page, but generally if you know how to use rcp it's 
precisely the same:
scp /path/to/local/file remotehost:/path/to/remotefile

All in all, if you can tolerate the extra port being open, syslog is 
really great for this setup.  But security is always a consideration, 
and if appropriate firewalling is not readily available, scp is your 
next best choice (IMHO).  As another security-conscious consideration, 
with the scp setup described, if the machine is compromised the attacker 
may be able to either a) turn off your logging before the logs are 
pushed to the other machine or b) connect via the same channel to the 
remote machine and delete the logs and c) if the attacker notices the 
ssh auth, it also gives him user-level access to the remote machine, 
which may be enough to compromise the 2nd machine as well.  Syslog has 
none of these deficiencies.  :)

Enjoy!
Aaron S. Joyner

Roy Vestal wrote:

>I have 4 servers that I'd like to consolidate the logs. I don't want to
>necessarily run a loghost, but I'd like to be able to rcp them to a
>directory on one server. Right now, I log in to all 4 and read the daily
>logs one at a time. I'd like to have them all in one place.
>
>Any suggestions?
>
>  
>

More information about the TriLUG mailing list