Full Disclosure mailing list archives

RE: syslog consolidation

From: Duncan Lindley <duncan.lindley () virginblue com au>
Date: Mon, 10 Nov 2003 15:22:13 +1000

I have had no grief from msyslog, it works a treat.

Eventlog to syslog comes in handy if you have some of that other, other
white meat also,
http://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys 

-Dunc

-----Original Message-----
From: Scott Taylor [mailto:security () 303underground com] 
Sent: Monday, 10 November 2003 2:29 PM
To: Ivan Coric
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] syslog consolidation

On Sun, 2003-11-09 at 20:47, Ivan Coric wrote:

Hi List,

I am looking into consolidation tools for syslog and syslog daemon

replacement and would like to hear from the list on your experiences.


I have looked at
- intellitactics (too expensive)
- netforensics (agents required)
- m-syslog
- syslog-ng


I use metalog on most of my systems. It does a nice job of splitting logs
based on the program that sent the message as well as regex matching, to put
anything matching "(failed|invalid)\s+(password|login|authentication)" for
example into a single file. It will also buffer messages in memory if you
want to be a little more efficient on your disk accesses. The biggest
problem with it is that it only works as a local daemon. 

So, to log all of my router/switch messages off the UDP listener, I also run
syslog-ng on one of my machines. The two do peacefully coexist, I only have
syslog-ng listening for udp traffic without it opening up a local socket.
I'm barely using any of the features of syslog-ng, but at least it has
granular enough configuration that I only run the part of it that I want to.
And that is always a good thing.

--
Scott Taylor - <security () 303underground com> 

Davis' Law of Traffic Density:
        The density of rush-hour traffic is directly proportional to
        1.5 times the amount of extra time you allow to arrive on time.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


The content of this e-mail, including any attachments is a confidential
communication between Virgin Blue \ Pacific Blue and the intended addressee
and is for the sole use of that intended addressee.  If you are not the
intended addressee, any use, interference with, disclosure or copying of
this material is unauthorized and prohibited.  If you have received this
e-mail in error please contact the sender immediately and then delete the
message and any attachment(s).  Virgin Blue \ Pacific Blue respects your
privacy. Our privacy policy can be accessed from our websites:
www.virginblue.com.au - www.flypacificblue.com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

syslog consolidation Ivan Coric (Nov 09)
- Re: syslog consolidation Steffen Kluge (Nov 09)
- Re: syslog consolidation Scott Taylor (Nov 09)
- Re: syslog consolidation Ben Nelson (Nov 10)
- <Possible follow-ups>
- RE: syslog consolidation Duncan Lindley (Nov 09)