Aggregating logs from numerous FreeBSD machines
Ted Cabeen
ted at impulse.net
Thu Jan 13 16:52:37 PST 2005
Mark Johnston <mjohnston at skyweb.ca> writes:
> Hi folks,
>
> My stack of trusty FreeBSD servers always seems to be growing, and it's
> getting to the point where the daily and security output mail is too much to
> make good use of. I'm looking for suggestions for log monitoring and
> aggregation tools, especially from a monitoring-for-security perspective.
>
> If I had to imagine an ideal system, it would be a central server that
> securely collects syslog messages from all my servers, indexes them by server
> and severity, and gives a reasonable management interface. Given expressions
> based on facility, severity, log message, and the like, it could throw away
> useless messages, or page me for critical ones. This would tie into
> AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different
> flavors of IDS. It could even warn me when processes run away with the CPU
> or RAM, or disks get too full.
>
> I've found a variety of things that almost do this. Nagios is good at paging
> for service failures, disk full warnings, and that sort of thing, but it
> doesn't seem well-suited for aggregating log messages. The Prelude IDS seems
> to have some kind of console, as does Samhain, but I want to try to avoid
> having different interfaces for each service type.
>
> I realize this is something that could be had using IPSec-protected remote
> logging with some greps and interface stuff bolted on, but if there's a
> ready-made tool, it'd save me a fair bit of implementation time. What kind
> of things are other security-minded admins using to stay on top of all the
> logs?
syslog-ng is useful for separating incoming log entries by server,
facility and priority. I'd start with that. You could then use
something like logwatch or logcheck to mail you or trigger a nagios
warning on strange log lines.
--
Ted Cabeen http://www.pobox.com/~secabeen ted at cabeen.org
Check Website or Keyserver for PGP/GPG Key BA0349D2 ted at impulse.net
"I have taken all knowledge to be my province." -F. Bacon secabeen at pobox.com
"Human kind cannot bear very much reality."-T.S.Eliot secabeen at gmail.com
More information about the freebsd-security
mailing list