OK, here is my 'take' on your replies. It took me a little time to go over yor points // __ SheBang
Great idea, but running in stealth mode isn't a function of syslog-ng, it's a function of a network capture tool such as tcpdump or ngrep.
: I meant 'stealth mode' in a literal way not as an option or working mode of ngsyslog // __
dump the syslog contents to a file (need to do a little scripting here perhaps, though not much) and have syslog-ng read from that file.
: I won't have a filesystem around or say the application is botting and running off a CD-ROM (+RAM) and a ramdisk (or something similar) is NOT vorhanden // __
An HTML attachment was scrubbed... URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050913/a8e80311/at...
// __ Jens Grigel
For the kernel messages you could use the netconsole kernel module to send any kernel messages directly via udp to a specified client as soon as the network is available, no need for running a local syslogd/klogd.
Check kernel/Documentation/networking/Netconsole.txt for details.
: I was interested in reading about but the only page I could find was in japanese. http://www.linux.or.jp/JF/JFdocs/kernel-docs-2.6/networking/netconsole.txt.h... Also the idea is NOT to "send any kernel messages directly via udp to a specified client", because to send it 'directly' to an IP/client you must declare this IP somehow and I everything shoudl be stealth. The log aggregator should only gobble whatever reaches its NIC, without the log producing end being even aware of it (do you get it ;-)) // __ Bill Nash
You mean..
Log all activity on the box and forward it off to another device, storing nothing locally?
: No, I don't. I am not trying to store it locally and then forward it ... // __ SheBang
Ah, I see. I did't read carefully past "stealth mode" it seems. I was thinking of this:
http://www.linuxjournal.com/xstatic/articles/lj/0092/5476/5476s2.html http://www.linuxjournal.com/article/6222
It's a hidden syslog server that's not attackable by common methods (well except flooding with log messages - hard to eliminate DoS risks with any service). If you snip the send pair in its ethernet cable and hardcode MAC addresses then it's quite a secure log receiver.
: Exactly! this is the idea "log files to a non-IP-addressed" ... Thanks Albretch