Re: More Syslog Questions

["Marcus J. Ranum" <mjr () ranum com>]

> I am in the process of setting up a centralized syslog server running RedHat AS3.  Currently, I am using syslog as our 
> daemon, but have heard there are other, better solutions.  What do you suggest?

There are inherent limitations to how good syslog can get; just
bear that in mind. :)   Also, there are a plethora of syslogd replacements,
virtually all of which are better than stock syslogd. My bet would be
syslog-ng (http://www.balabit.com/downloads) - use it with tcp modes
and/or ssltunnel+compression and you'll be in good shape.

> In an effort to make the log server as secure as possible, I would like to find a way to use an append only file 
> system.  Unfortunately, if this is done, logs cannot be rotated using logrotate so the server must be taken down to 
> single user mode to rotate the logs, causing the loss of many log entries.

Most BSDs support immutable files - files that can only be changed
if the system is in single-user mode. That's about as close as you can
get to what you're looking for. Look into the chflags command on FreeBSD
for examples - googling for "hflags syslog immutable ought to return you
a bunch of how-tos.

All that said, I'm a big believer in just making the box a locked down
system that only has one port going into it, with a chrooted syslogd
and a single authorized administrator. Immutable files are icing on
the cake! :)

mjr.  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards