[syslog-ng]Seeking suggestions on a secure central syslog-ng setup..

Sean McNamara sean.mcnamara@villanova.edu
Mon, 12 Nov 2001 12:26:44 -0500


Hello all,

    First of all, please excuse me if this is off-topic; but seeing as
I'm
looking for something which will interface/work with syslog-ng, I
thought that this would be as good of a place as any to get a start.

To move on...

    We're currently running two central syslog servers (specifically
syslog-ng) on Solaris 8/Sparc, and are investigating methods of setting
up a central location where these logs may be processed (i.e. searching,

alert generation, etc.) and viewed via a web-enabled console of some
sorts that, ideally offers some method for access control to define
varying levels of access to log reports, raw data, etc.   Though, that
would be ideal, it's by no means _absolutely_ necessary.

    My current idea is as follows: to have a third server that acts as
the 'processing/viewing' server which NFS (ala WVrpcbind for security)
mounts the log directories on the remote logserver, and does the
processing remotely, rather than on the already burdened logserver.
I'm sure this is no amazing idea.. however, I'm just not sure I've
reviewed all of my options as far as what would be doing the processing
portion of the task.

    We have a large variety of logs maintained at these locations,
amongst them, named(BIND), DHCP, PIX(firewall), IPFilters,
RADIUS(Interlink Networks), ssh, inetd, authlog(i.e. login
attempts/failures), kernel logs, etc., etc. so, yet another
consideration in addition to all mentioned is for the software to have
the ability to, at least somewhat be able to parse the logfile data in
order to generate alerts, and in some cases (if there exists an 'access
control' feature), allow for some of the logfile data to be 'sugar
coated', that is- basically to simplify information from the raw logs to

cater to less technical individuals, e.g. helpdesk staff, etc, who may
have a need to view specific log data, but may not be able to (or have
the will to) read the technical details of raw log files.

    I know I've specified a bit of a wishlist beyond just basic syslog
log viewing/reporting, but I supposed I ought to aim high and see what
comes out of it.   I'm toying with the idea of writing such a system
such as above, but, I don't know if I have the time to dedicate to it;
so I'm hoping that at least something will come somewhere close.

    So, this is where I turn it over to you -- can anyone give me any
examples of how you may have managed a situation like this?   Or
specifically of any software available to do as I described?

    Any comments, examples, or pointers to resources would be greatly
appreciated.


Many thanks in advance,


..Sean R. McNamara.

Network Systems Administrator,

Villanova University
UNIT- Data Network Services