[syslog-ng] Help settings regarding Syslog NG
jrhendri at roadrunner.com
jrhendri at roadrunner.com
Mon Sep 15 16:33:32 CEST 2014
Umm... OK - but that is WAYYY too broad a question for any specific recommendations.
That said
- log EVERYTHING from the security devices and send it to syslog-ng over the network
(shun vendors who claim you should use their own log reporting tool or otherwise resist using syslog protocol over the network in real-time)
- For further processing of the logs make syslog-ng forward copies of whatever you deem important on to the destination (like a SIEM or log search tool)
- use UDP wherever possible (although TCP is a "reliable" protocol - I have personally seen many implementations of vendor products that do not correctly close TCP connections resulting in syslog-ng running out of open connections. UDP over relatively short distances and hopefully stable networks is absolutely fine.
- use filters on the syslog-ng end to control what you log (rather than requiring changes on every endpoint device)
an example of that from unix / linux would be to have the linux system send all facilities and all priorities
(e.g. *.debug) to syslog-ng and have syslog-ng use a filter to only keep the messages you want
- I like to store messages by the IP address of the sending server (using $HOST_FROM instead of $HOST) since it does not rely on parsing sometimes very broken syslog formatted messages to obtain the HOST name.
- I also use macros to rotate logs by date, making compressing or deleting older logs pretty straightforward.
(e.g.
destination d_separatedbyhosts {
file("/data/syslog-ng/$YEAR/$MONTH/$DAY/$HOST_FROM/$HOST_FROM.$FACILITY.$PRIORITY.$YEAR.$MONTH.$DAY");
};
Hope this helps!
Jim
---- Simon OBOUNOU <simon.obounou at hifa.biz> wrote:
> Hi
I need helps regarding setting between syslog ng server and security
solutions like checkpoint firewall, stormshield IDS and so one.
--
Bien cordialement, Kind Regards
HIFA, Chairman
32 rue de la République 92190 MEUDON - FRANCE
Phone: +33 1 46 31 44 25
Mobile: +33 6 11 30 36 57
email: simon.obounou at hifa.biz
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list