syslog/postfix question

[Kurt Buff]

John Pettitt wrote:
> 
> Kurt Buff wrote:
> 
> 
>>I've been perusing man syslog and man syslog.conf, and haven't gotten
>>my mind quite wrapped around it yet.
>>
>>I have 4 FBSD 5.3 servers on my network, each running postfix 2.x. One
>>is a mail gateway to our Exchange server, the others are just using
>>postifx for mailing out the daily/weekly/monthly/security logs, while
>>they perform their other duties.
>>
>>I want to have the normal logging (in this case /var/log/messages and
>>/var/log/maillog) happen both locally and sent to a remote syslog server.
>>
>>I haven't yet modified syslog.conf on any of these machines.
>>
>>Am I correct in believing that all I have to do to make this happen is
>>uncomment the line that says:
>>
>>#*.*                        @loghost
>>
>>and change @loghost to match my syslog server? That is, along with
>>making sure that name resolution works correctly, of course.
>>
>>
> 
> On the sending end that's it.  On the receiving host you need to make
> sure syslogd has the correct setting to receive the log packets.   There
> are security upsides and downside to doing what you propose.
> 
> Upside: logs are on a different box - hopefully a secure one - so you
> have a record of attacks against the other boxes.
> 
> Downside: log packets are unencrypted UDP so a black hat may be able to
> sniff them and learn about system configuration.
> 
> In the end I think the upside wins.
> 
> John

That's what I needed to hear. I've been aware of the risks for a while - 
I've got a syslogging client on my Windows servers. I want the 
centralization - it makes research just that much easier.

Thanks for the help.

Kurt