Thursday, August 14, 2008

Centralised Logging host

The last thing a cracker does after they have compromised your system is they try and remove all traces of what they have done on your system, they do this by altering or deleting your log files.

Log files are essential in monitoring your system and recovering it back to a working state after a failure or after being compromised. It is a very good idea to have your Log files stored on a central server, both for convenience and security reasons. In a large network it is also more convenient to have all your log files accessible in one central place.

decide on the server that will accept log messages from the other servers. On that server edit your
/etc/sysconfig/syslog file

and edit the stanza SYSLOGD_OPTIONS="-m 0"
add a -r like so
-r =(receive log files)

restart syslogd by typing /etc/init.d/syslog restart
now your server is ready to accept logging messages from your other servers/machines

on the machine that you want to send the log files from. Edit your /etc/syslog.conf file
and add the following line
user.* @

were is the ip address of the server that you setup to receive the log files, you can substitute the ip address with the hostname of the server if you want.

restart syslogd by typing /etc/init.d/syslog restart
your server @ will now receive and store all the log files from your machine that you have setup to send from.

you can test this new setup by using the logger command to create a log message
logger -i -t Clive "Testing centralised logging"
The message should appear in your centralised logging servers /var/log/messages file

No comments: