Hello list, I am new on this list. I start working on a IT department and I need to update and check the actual syslog system.

We have more than 50 Ubuntu servers, locals and remotes, on each servers there is rsyslog installed and configured this way:

$ cat /etc/rsyslog.d/99-rsyslog.conf

auth.*,authpriv.*       @logserver

kern.warn               @logserver

kern.err                @logserver

mail.*                  @logserver

There is server (logserver) with syslog-ng to manage and save all logs. It receive on UDP port without secure, this the source section on syslog-ng configuration:

source s_all {

        internal();

        unix-stream("/dev/log");

        file("/proc/kmsg" log_prefix("kernel: "));

};

source logs_externs{

                udp();

};

I have some questions about how to secure it:

1.       How can I secure the logs on the net? I must use TCP to secure?

2.       I have lot of data (5-10GB at week) to store, which is the best method to manage it? Logrotate? Scripts? I want to move logs to NAS monthly.

3.       Is it a good idea to make files for each host and services? Something like: /var/log/host1/auth.log, /var/log/host2/auth.log, /var/log/host1/mail.log, /var/log/host2/mail.log

These are my newby questions, thanks for all your help and best regards.