From owner-freebsd-questions@FreeBSD.ORG Thu Mar 31 02:26:15 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD08116A4CE for ; Thu, 31 Mar 2005 02:26:15 +0000 (GMT) Received: from skipjack.no-such-agency.net (skipjack.no-such-agency.net [64.142.114.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E2D843D53 for ; Thu, 31 Mar 2005 02:26:15 +0000 (GMT) (envelope-from jpp@cloudview.com) Received: from skipjack.no-such-agency.net (localhost [127.0.0.1]) by skipjack.no-such-agency.net (Postfix) with ESMTP id 21D2834DA12; Wed, 30 Mar 2005 18:26:14 -0800 (PST) Received: from [192.168.2.120] (blackhole.no-such-agency.net [64.142.103.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by skipjack.no-such-agency.net (Postfix) with ESMTP id 6E0DE34DA10; Wed, 30 Mar 2005 18:26:14 -0800 (PST) Message-ID: <424B5FC6.5080803@cloudview.com> Date: Wed, 30 Mar 2005 18:26:14 -0800 From: John Pettitt User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: kurt.buff@gmail.com References: <424B5D56.20104@spro.net> In-Reply-To: <424B5D56.20104@spro.net> X-Enigmail-Version: 0.90.1.1 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-AV-Checked: by skipjack cc: freebsd-questions@freebsd.org Subject: Re: syslog/postfix question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 02:26:15 -0000 Kurt Buff wrote: > I've been perusing man syslog and man syslog.conf, and haven't gotten > my mind quite wrapped around it yet. > > I have 4 FBSD 5.3 servers on my network, each running postfix 2.x. One > is a mail gateway to our Exchange server, the others are just using > postifx for mailing out the daily/weekly/monthly/security logs, while > they perform their other duties. > > I want to have the normal logging (in this case /var/log/messages and > /var/log/maillog) happen both locally and sent to a remote syslog server. > > I haven't yet modified syslog.conf on any of these machines. > > Am I correct in believing that all I have to do to make this happen is > uncomment the line that says: > > #*.* @loghost > > and change @loghost to match my syslog server? That is, along with > making sure that name resolution works correctly, of course. > > On the sending end that's it. On the receiving host you need to make sure syslogd has the correct setting to receive the log packets. There are security upsides and downside to doing what you propose. Upside: logs are on a different box - hopefully a secure one - so you have a record of attacks against the other boxes. Downside: log packets are unencrypted UDP so a black hat may be able to sniff them and learn about system configuration. In the end I think the upside wins. John