Recipe 9.29 Logging Remotely

Previous page
Table of content
Next page

9.29.1 Problem

You want system logger messages saved on a remote machine rather than locally.

9.29.2 Solution

Configure /etc/syslog.conf for remote logging, using the "@" syntax:

/etc/syslog.conf: # Send all messages to remote system "loghost" *.*             @loghost

On loghost, tell syslogd to accept messages from the network by adding the -r option:

# syslogd -r ...

or within /etc/sysconfig/syslog:

SYSLOGD_OPTIONS="... -r ..."   Red Hat SYSLOGD_PARAMS="... -r ..."    SuSE

Remember to send a signal to syslogd to pick up any changes to /etc/syslog.conf [Recipe 9.27], or to restart the daemon on loghost if you have changed command-line options.

9.29.3 Discussion

The system logger can redirect messages to another machine: this is indicated in /etc/syslog.conf by an "@" character followed by a machine name as the destination. Our recipe shows a simple remote logging configuration that sends all messages to a remote machine, conventionally named loghost.

The remote configuration can be convenient for collecting messages from several machines in log files on a single centralized machine, where they can be monitored and examined. You might also want to use this configuration on a machine like a web server, so that log files cannot be read, tampered with, or removed by an intruder if a break-in occurs.

Local and remote rules can be combined in the same syslog.conf configuration, and some categories of messages can be sent to both local and remote destinations.

The system logger will not accept messages from another machine by default. To allow this, add the syslogd -r command-line option on loghost. Your loghost can even collect messages from other types of systems, e.g., routers and switches. Protect your loghost with your firewall, however, to prevent others from bombarding your server with messages as a denial of service attack.

To allow the loghost to be changed easily, set up a "loghost" CNAME record on your nameserver that points to a specific machine:

loghost IN CNAME watchdog.example.com.

(Don't forget the final period.) You can then redirect messages by simply modifying the CNAME record, rather than a potentially large number of /etc/syslog.conf files. Add the syslogd -h option on your old loghost to forward your messages to the new loghost, until you have a chance to reconfigure those routers and switches unaware of the change.

9.29.4 See Also

syslogd(8), syslog.conf(5).

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
MySQL Clustering
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
File System Forensic Analysis
Extending and Embedding PHP
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy