On Wednesday 23 April 2003 17:48, Stefan Neufeind wrote: > But what if you can't deploy a separate network just for syslog? > Encrypt it somehow?
There's at least a couple options: 1) Encrypt the syslog stream. 2) Keep the syslog stream plaintext, but really harden the syslog server as much as you can. The disadvantage to this is that an intruder may be able to deduce that he's being monitored (even if the syslog stream is encrypted), but it's a fair compromise if the situation doesn't warrant an admin network. > In separate files for the machines on the central server? > I guess this would best suit my needs. But again: It needs to be > secure - even over a "public switch" :-((( I'm assuming you mean maintaining a separate log per machine that you collect logs for? I wouldn't bother with that, personally. Grep is a great tool... If you *really* generate a lot of log information and need to analyze it in greater detail, then dumping it into a database at the back end could be warranted. For most sites, though, grep is quite sufficient, especially if you combine it with swatch -- which can look through your log files for particular events that you define, and then email/page you when/if they occur. A simple, but quite usable intrusion detection system of sorts... All IMHO, of course... Regardless of how you implement it, I always prefer to see a dedicated log server on a production network. I think that it is time and money well spent to set one up properly. Cheers, Ken