But what if you can't deploy a separate network just for syslog? Encrypt it somehow? Or just use ip-based-security? I guess that's the worse idea if you might be on a switch with several other machines, right?
And do I really need a real syslog on the other machine? Or is there any daemon so I can receive syslog-entries like machine1: ... machine2: ... machine2: ... In separate files for the machines on the central server? I guess this would best suit my needs. But again: It needs to be secure - even over a "public switch" :-((( On 23 Apr 2003 at 16:37, Kenneth R. van Wyk wrote: > On Wednesday 23 April 2003 13:43, Stefan Neufeind wrote: > > what is the best way to remotely syslog? > > If the business situation warrants the expense, then I advise my > clients to run an admin network on critical servers, with one hardened > syslog server to receive event logs from the servers. Keep admin > (including) and production data separate, and only run syslogd (and > possibly sshd) on the syslog server. It's also a good idea to keep > the log data on a RAID-5 array for reliability, but that's another > issue. > > Short of write-once media, 1-way wiring, etc., this is a pretty darned > secure way of deploying a syslog server, IMHO. > > Cheers, > > Ken van Wyk > ----- > author, "Incident Response" and "Secure Coding", O'Reilly & Assoc. > www.incidentresponse.com, www.securecoding.org >
