...
Ok, today we're going to Setup a remote log server.
ssh to your logserver and edit /etc/sysconfig/syslog
It's a well commented file, go to the line
SYSLOGD_OPTIONS="-m 0"
now add -r option so that it can accept remote messages as well.
SYSLOGD_OPTIONS="-r -m 0"
Do a restart of your syslog daemon
# service syslog restart
Okay, so you have done it, your syslog can listen to remote messages, but does your firewall is aware about it? If not, let's tell the firewall to permit incoming syslog messages -
# iptables -I INPUT -p udp --dport 514 --source -j ACCEPT
It's done on log server, now go to other box who will send his syslog messages to this log server.
on other box, edit /etc/syslog.conf and according to your requirement add facilty.priority, e.g. I am sending all user messages to our log server -
user.* @a.b.c.d
a.b.c.d is your log server IP
On older systems don't forget to restorecon all the files you edit.
Now do
#service syslog restart
and test your new configuration
by generating a message -
# logger -i -t testlog "I am testing remote logging"
This message will appear in log server's /var/log/messages in following format -
Jan 19 17:55:15 a.b.c.d testlog[6789]: I am testing remote logging
If you're still wondering why do we need to setup a central remote logging server in our network then let me tell you that almost all the successful local or network attacks has a common feature. Attacker always try to erase his foot prints, he tries to clear evidence of his work. Your log server will be a configuration that collects evidence, in addition well configured auditing along with logging will show you misconfigurations and vulnerabilites.
We'll discuss response strategies and fault analysis along with logwatch in next blog.
No comments:
Post a Comment