[unisog] reporting on a central syslog server

Peter Van Epp vanepp at sfu.ca
Mon Apr 4 16:23:19 GMT 2005


	The orignal answer is swatch from Stanford, but one of our linux folks
likes logwatcher better. In either case wisdom from Brent Chapman at a long
ago Usenix LISa or Security conference is the key to success: start it, then
filter out any expected log entries leaving you only the unexpected (so far)
log entries to deal with. Accept the fact that no automatic system can deal 
with everything, and the objective is to reduce the human interaction to only
cases where such interaction is needed. A case in point is where a flood fills
the syslog disk: the appropriate response here is page a human because the 
disk filling or starting to get towards being full is either bad capacity 
planning or an attack and paging a human will fix either one (if for different
reasons :-)).
	I've often thought (but never implemented because we've never had a 
problem) that additional insurance would be to have a second syslog server
connected via a network tap to the same network connection as the official (and 
network accessable) syslog server that mirrors the syslog. That way if an
attacker compromises your syslog server and modifies the log, its obvious 
because a diff of the "public" syslog with the mirrored one will be very 
different and the mirror will have the complete record of what happened 
because of no network connection to get compromised via.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


On Mon, Apr 04, 2005 at 09:08:12AM -0400, Michael Holstein wrote:
> Before I get out my O'Riley books and re-invent the wheel, what are 
> folks out there using to report against a central syslog environment 
> with Syslog-NG doing the logging from multiple UNIX systems of various 
> type (mostly Solaris, a few others) as well as Windows Server logs and 
> PIX firewall info.
> 
> We're talking 6-10gb per 24 hours, uncompressed.
> 
> If you wish, email off-list and I'll summarize in a few days.
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list