[TriLUG] secure syslog server

[Timothy A. Chagnon]

I have several clusters that all report to central syslog servers. 
Securing this central loghost type machine is much like any other
server for the most part.  If you can spare the hardware, make that
host only accessible to admins.  Some of the logs will contain auth
data that you don't want anyone to see.

Syslog simply sends udp packets for each message on port 514 to the
log server, so putting an IPTables rule up to only allow incoming
packets to 514/udp from your net range is a good start.

If you want to do advanced filtering, piping to other programs, etc.,
I would recommend you look at syslog-ng.  It has a lot of options for
however you might want to deal with the massive amounts of data that
get generated.  For example, I take some of the logs and format them
into SQL INSERT statements so they can be pushed into a MySQL server
for access from a custom web frontend.

The first few links for googling syslog-ng are the download site and
other useful info:
http://www.google.com/search?hl=en&q=syslog-ng

It may look commercial, but it is actually GPL'd.

Also, since you're doing this for routers, php-syslog-ng is a quickie
frontend for searching/sorting that someone wrote.  IIRC, it only
understands logs from Cisco (maybe others) devices though, not Linux,
due to different priorities/facilities.  Though it looks like they've
done a serious update since I last looked.

http://www.phpwizardry.com/php-syslog-ng.php

Tim

On 12/9/05, Greg Brown <gwbrown1 at gmail.com> wrote:
> I have to set up a syslog server for my Internet routers.