From owner-freebsd-questions@FreeBSD.ORG Thu Mar 31 02:50:26 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E89F16A4CE for ; Thu, 31 Mar 2005 02:50:26 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id A70C543D49 for ; Thu, 31 Mar 2005 02:50:25 +0000 (GMT) (envelope-from kurt.buff@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so408455wra for ; Wed, 30 Mar 2005 18:50:25 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=q6uuylmCAcfptaeOsDQSkchIuNTNed9VVeWyvW67p/CtHN46M3/UyWJYeaFDbTumt5BqiiRtQjPxqi3DoM4KVcbG87vBUd2TTQz8AnYRIKgDyve2kT7Px17vxHpgr2NMCDFOHKhg7UTdo/Lr1mOYBkbRlZmJyK05q57ak0XN88U= Received: by 10.54.5.53 with SMTP id 53mr154807wre; Wed, 30 Mar 2005 18:50:25 -0800 (PST) Received: from ?192.168.5.63? ([66.14.131.172]) by mx.gmail.com with ESMTP id g7sm1026177wra.2005.03.30.18.50.24; Wed, 30 Mar 2005 18:50:25 -0800 (PST) Message-ID: <424B647A.1040705@gmail.com> Date: Wed, 30 Mar 2005 18:46:18 -0800 From: Kurt Buff User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: John Pettitt , freebsd-questions@freebsd.org References: <424B5D56.20104@spro.net> <424B5FC6.5080803@cloudview.com> In-Reply-To: <424B5FC6.5080803@cloudview.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: syslog/postfix question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kurt.buff@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 02:50:26 -0000 John Pettitt wrote: > > Kurt Buff wrote: > > >>I've been perusing man syslog and man syslog.conf, and haven't gotten >>my mind quite wrapped around it yet. >> >>I have 4 FBSD 5.3 servers on my network, each running postfix 2.x. One >>is a mail gateway to our Exchange server, the others are just using >>postifx for mailing out the daily/weekly/monthly/security logs, while >>they perform their other duties. >> >>I want to have the normal logging (in this case /var/log/messages and >>/var/log/maillog) happen both locally and sent to a remote syslog server. >> >>I haven't yet modified syslog.conf on any of these machines. >> >>Am I correct in believing that all I have to do to make this happen is >>uncomment the line that says: >> >>#*.* @loghost >> >>and change @loghost to match my syslog server? That is, along with >>making sure that name resolution works correctly, of course. >> >> > > On the sending end that's it. On the receiving host you need to make > sure syslogd has the correct setting to receive the log packets. There > are security upsides and downside to doing what you propose. > > Upside: logs are on a different box - hopefully a secure one - so you > have a record of attacks against the other boxes. > > Downside: log packets are unencrypted UDP so a black hat may be able to > sniff them and learn about system configuration. > > In the end I think the upside wins. > > John That's what I needed to hear. I've been aware of the risks for a while - I've got a syslogging client on my Windows servers. I want the centralization - it makes research just that much easier. Thanks for the help. Kurt