From owner-freebsd-security@FreeBSD.ORG Thu Jan 13 18:44:27 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBB8D16A4CE for ; Thu, 13 Jan 2005 18:44:27 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D91E43D60 for ; Thu, 13 Jan 2005 18:44:27 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-208-232.ny325.east.verizon.net [68.160.208.232]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id j0DIiLYf044496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 Jan 2005 13:44:23 -0500 (EST) Message-ID: <41E6C15C.4030907@mac.com> Date: Thu, 13 Jan 2005 13:43:40 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 Followup-To: freebsd-questions@freebsd.org To: Mark Johnston References: <200501131232.44441.mjohnston@skyweb.ca> In-Reply-To: <200501131232.44441.mjohnston@skyweb.ca> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=1.8 required=5.5 tests=AWL,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pi.codefab.com cc: freebsd-security@freebsd.org Subject: Re: Aggregating logs from numerous FreeBSD machines X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 18:44:27 -0000 Mark Johnston wrote: > If I had to imagine an ideal system, it would be a central server that > securely collects syslog messages from all my servers, indexes them by server > and severity, and gives a reasonable management interface. Given expressions > based on facility, severity, log message, and the like, it could throw away > useless messages, or page me for critical ones. This would tie into > AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different > flavors of IDS. It could even warn me when processes run away with the CPU > or RAM, or disks get too full. Consider Big Brother from www.bb4.com. It monitors processes, ports, disk space, load average, looks for interesting stuff in the system logfile, and has a central web-based dashboard with historical logs. [ Slightly off-topic for freebsd-security, moving to -questions. ] -- -Chuck