Re: syslog consolidation

[Scott Taylor <security () 303underground com>]

On Sun, 2003-11-09 at 20:47, Ivan Coric wrote:
> Hi List,
>
> I am looking into consolidation tools for syslog and syslog daemon replacement and would like to hear from the list 
> on your experiences.
>
> I have looked at
> - intellitactics (too expensive)
> - netforensics (agents required)
> - m-syslog
> - syslog-ng

I use metalog on most of my systems. It does a nice job of splitting
logs based on the program that sent the message as well as regex
matching, to put anything matching 
"(failed|invalid)\s+(password|login|authentication)" for example into a
single file. It will also buffer messages in memory if you want to be a
little more efficient on your disk accesses. The biggest problem with it
is that it only works as a local daemon. 

So, to log all of my router/switch messages off the UDP listener, I also
run syslog-ng on one of my machines. The two do peacefully coexist, I
only have syslog-ng listening for udp traffic without it opening up a
local socket. I'm barely using any of the features of syslog-ng, but at
least it has granular enough configuration that I only run the part of
it that I want to. And that is always a good thing.

--
Scott Taylor - <security () 303underground com> 

Davis' Law of Traffic Density:
        The density of rush-hour traffic is directly proportional to
        1.5 times the amount of extra time you allow to arrive on time.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html