Friday, February 13, 2009

Central Syslog for Servers

EDIT: This post was written in a hurry but I promise I will come back to it soon to elaborate.

There's something incredibly useful about not having your server logs only on the server itself, the first is when someone compromises your server, plays about with it a bit and then deletes the log files.
The second is having all your log files in one place so you can run tools like Splunk on them.

This is how you go about doing it. I will assume that the syslog server (where the logs go to) is running some variation of Linux, these instructions will be largely focussed on Debian.

/etc/init.d/sysklogd stop
edit /etc/sysklogd.conf
change syslogd "" to syslogd "-r -m0"

This will allow remote machines to log to this (-r) and will remove the --MARK-- (-m0) that plagues your logs, I'm still in 2 minds about removing the "mark" as it lets you know that your logs are being written to, but on a large network there will (most likely) always be something somewhere writing to a log file.

okay, next open up /etc/syslog.conf and add

local7.debug /var/log/enterprise.log

this will allow Cisco and Windows devices to log to this machine.

/etc/init.d/sysklogd start

DONE on the server

On Windows Clients

Download SNARE from intersect Alliance install it and don't use the web interface.

run regedit and edit HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService\

in config, change the delimiter to be " " (i.e. a space)
in network change the destination to be your syslog server
and also in network check that the port is set to 514, this is the default.


daspeac said...

I believe you have also heard about the way of recover data from illustrator

Jay said...

For centralized logging on windows and unix you might want to take a look at nxlog. It's free and open-source.