Hello list, I am new on this list. I start working on a IT department and I need to update and check the actual syslog system. We have more than 50 Ubuntu servers, locals and remotes, on each servers there is rsyslog installed and configured this way: $ cat /etc/rsyslog.d/99-rsyslog.conf auth.*,authpriv.* @logserver kern.warn @logserver kern.err @logserver mail.* @logserver There is server (logserver) with syslog-ng to manage and save all logs. It receive on UDP port without secure, this the source section on syslog-ng configuration: source s_all { internal(); unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); }; source logs_externs{ udp(); }; I have some questions about how to secure it: 1. How can I secure the logs on the net? I must use TCP to secure? 2. I have lot of data (5-10GB at week) to store, which is the best method to manage it? Logrotate? Scripts? I want to move logs to NAS monthly. 3. Is it a good idea to make files for each host and services? Something like: /var/log/host1/auth.log, /var/log/host2/auth.log, /var/log/host1/mail.log, /var/log/host2/mail.log These are my newby questions, thanks for all your help and best regards.
Hi!
1. How can I secure the logs on the net? I must use TCP to secure?
Not neccessarily, but TCP + SSL is the easiest route in my opinion.
2. I have lot of data (5-10GB at week) to store, which is the best method to manage it? Logrotate? Scripts? I want to move logs to NAS monthly.
Logrotate is one option, but you can tell syslog-ng to put the date in the log file's name aswell, thus you get automatic 'rotation'. Something like this: destination d_dated { file("/var/log/messages-${YEAR}-${MONTH}.log"); }; Then you can safely move the past months' logs to NAS, as syslog-ng will not write to them anymore. You can even do stuff like this: destination d_example { file("/var/log/split/${YEAR}-${MONTH}/${HOST}/messages.log"); }; Which will result in files like "/var/log/split/2011-06/example.local/messages.log".
3. Is it a good idea to make files for each host and services? Something like: /var/log/host1/auth.log, /var/log/host2/auth.log, /var/log/host1/mail.log, /var/log/host2/mail.log
That depends on what you want to do with the logs. If it's easier to archive/process/whatever them if they're split by host, then by all means, split them. If you only want to archive the logs, and hardly ever look at them, then it might be easier to just place them in a single file. -- |8]
-----Mensaje original----- De: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] En nombre de Gergely Nagy Enviado el: viernes, 17 de junio de 2011 12:31 Para: Syslog-ng users' and developers' mailing list Asunto: Re: [syslog-ng] New on syslog-ng Hi!
1. How can I secure the logs on the net? I must use TCP to secure?
Not neccessarily, but TCP + SSL is the easiest route in my opinion.
2. I have lot of data (5-10GB at week) to store, which is the best method to manage it? Logrotate? Scripts? I want to move logs to NAS monthly.
Logrotate is one option, but you can tell syslog-ng to put the date in the log file's name aswell, thus you get automatic 'rotation'. Something like this: destination d_dated { file("/var/log/messages-${YEAR}-${MONTH}.log"); }; Then you can safely move the past months' logs to NAS, as syslog-ng will not write to them anymore. You can even do stuff like this: destination d_example { file("/var/log/split/${YEAR}-${MONTH}/${HOST}/messages.log"); }; Which will result in files like "/var/log/split/2011-06/example.local/messages.log".
3. Is it a good idea to make files for each host and services? Something like: /var/log/host1/auth.log, /var/log/host2/auth.log, /var/log/host1/mail.log, /var/log/host2/mail.log
That depends on what you want to do with the logs. If it's easier to archive/process/whatever them if they're split by host, then by all means, split them. If you only want to archive the logs, and hardly ever look at them, then it might be easier to just place them in a single file. -- |8] Thanks for the reply, I will find more info about TCP and SSL, is possible to make it working with rsyslog on the client side? Do you have any example configuration for the TCP+SSL? Thank you very much for your help, kind regards.
Thanks for the reply, I will find more info about TCP and SSL, is possible to make it working with rsyslog on the client side? Do you have any example configuration for the TCP+SSL?
Yep, it's possible. As long as the client can talk the same protocol (either legacy BSD syslog, or the new RFC syslog - rsyslog can do both, and it's even configurable to some extent) they can interact well with syslog-ng. However, I found it much easier to use syslog-ng on both sides. The configuration is a thousand times simpler for one. An example server-side config would look something like this: source s_tcptls { tcp (ip("10.200.42.1") port(10514) tls( peer-verify(require-trusted) ca_dir("/etc/syslog-ng/certs/") key_file("/etc/syslog-ng/certs/server.key") cert_file("/etc/syslog-ng/certs/server.crt") ) ); }; For this to work, you need to generate the server.key & server.crt files as usual for any TLS service. Furthermore, you need to have the client certs in /etc/syslog-ng/certs/, and you need to run c_rehash . in that directory, so openssl will generate the appropriate symlinks. Alternatively, you can set peer-verify to require-untrusted, in which case untrusted and unknown client certificates will be accepted aswell. The on-line documentation should have more information & examples. I would suggest reading this chapter in particular: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... -- |8]
-----Mensaje original----- De: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] En nombre de Gergely Nagy Enviado el: lunes, 20 de junio de 2011 14:06 Para: Syslog-ng users' and developers' mailing list Asunto: Re: [syslog-ng] New on syslog-ng
Thanks for the reply, I will find more info about TCP and SSL, is possible to make it working with rsyslog on the client side? Do you have any example configuration for the TCP+SSL?
Yep, it's possible. As long as the client can talk the same protocol (either legacy BSD syslog, or the new RFC syslog - rsyslog can do both, and it's even configurable to some extent) they can interact well with syslog-ng. However, I found it much easier to use syslog-ng on both sides. The configuration is a thousand times simpler for one. An example server-side config would look something like this: source s_tcptls { tcp (ip("10.200.42.1") port(10514) tls( peer-verify(require-trusted) ca_dir("/etc/syslog-ng/certs/") key_file("/etc/syslog-ng/certs/server.key") cert_file("/etc/syslog-ng/certs/server.crt") ) ); }; For this to work, you need to generate the server.key & server.crt files as usual for any TLS service. Furthermore, you need to have the client certs in /etc/syslog-ng/certs/, and you need to run c_rehash . in that directory, so openssl will generate the appropriate symlinks. Alternatively, you can set peer-verify to require-untrusted, in which case untrusted and unknown client certificates will be accepted aswell. The on-line documentation should have more information & examples. I would suggest reading this chapter in particular: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... -- |8] Thanks for your help again. I am going to try to put syslog-ng on both sides (server/client). So I will start new post with it. Thanks and bets regards.
participants (3)
-
Gergely Nagy
-
Gergely Nagy
-
Josu Lazkano