From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 00:52:37 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3706816A4CE for ; Fri, 14 Jan 2005 00:52:37 +0000 (GMT) Received: from main.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5244843D45 for ; Fri, 14 Jan 2005 00:52:36 +0000 (GMT) (envelope-from freebsd-security@m.gmane.org) Received: from root by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1CpFha-0005bk-00 for ; Fri, 14 Jan 2005 01:52:34 +0100 Received: from gray.impulse.net ([207.154.64.174]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 14 Jan 2005 01:52:34 +0100 Received: from ted by gray.impulse.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 14 Jan 2005 01:52:34 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Ted Cabeen Date: Thu, 13 Jan 2005 16:39:11 -0800 Lines: 40 Message-ID: <87wtug26a8.fsf@gray.impulse.net> References: <200501131232.44441.mjohnston@skyweb.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: gray.impulse.net User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) Cancel-Lock: sha1:rys+0O6jxZGAl06N1tH4aD6EKrc= Sender: news Subject: Re: Aggregating logs from numerous FreeBSD machines X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 00:52:37 -0000 Mark Johnston writes: > Hi folks, > > My stack of trusty FreeBSD servers always seems to be growing, and it's > getting to the point where the daily and security output mail is too much to > make good use of. I'm looking for suggestions for log monitoring and > aggregation tools, especially from a monitoring-for-security perspective. > > If I had to imagine an ideal system, it would be a central server that > securely collects syslog messages from all my servers, indexes them by server > and severity, and gives a reasonable management interface. Given expressions > based on facility, severity, log message, and the like, it could throw away > useless messages, or page me for critical ones. This would tie into > AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different > flavors of IDS. It could even warn me when processes run away with the CPU > or RAM, or disks get too full. > > I've found a variety of things that almost do this. Nagios is good at paging > for service failures, disk full warnings, and that sort of thing, but it > doesn't seem well-suited for aggregating log messages. The Prelude IDS seems > to have some kind of console, as does Samhain, but I want to try to avoid > having different interfaces for each service type. > > I realize this is something that could be had using IPSec-protected remote > logging with some greps and interface stuff bolted on, but if there's a > ready-made tool, it'd save me a fair bit of implementation time. What kind > of things are other security-minded admins using to stay on top of all the > logs? syslog-ng is useful for separating incoming log entries by server, facility and priority. I'd start with that. You could then use something like logwatch or logcheck to mail you or trigger a nagios warning on strange log lines. -- Ted Cabeen http://www.pobox.com/~secabeen ted@cabeen.org Check Website or Keyserver for PGP/GPG Key BA0349D2 ted@impulse.net "I have taken all knowledge to be my province." -F. Bacon secabeen@pobox.com "Human kind cannot bear very much reality."-T.S.Eliot secabeen@gmail.com