Hi, If you get it on a Linux or a certain Unix boxes where there are file system level access controls to prevent modifications, that'll be enough.
For Example: Linux ext2 FS has the acl to allow logfiles only to opens with append only, you can search for lsattr, chattr commands. This feature I have used with Linux and AIX (JFS2). Theoratically there is no way you can hide things from the sysadmin (I mean real sysadmins). Even if you encrypt it, still the sysadmin will have the private key to decrypt it. Cheers, Kosala On Jan 30, 2008 1:28 AM, S D Fisher <[EMAIL PROTECTED]> wrote: > How does one then protect the syslog server from tampering? > The second part of the requirement (usually) is some sort of encryption or > hashing process that > protects the collected logs on the syslog server from even the admins. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Ron Johnson - Adhost > Sent: Tuesday, January 29, 2008 3:27 PM > To: Kurt Buff > Cc: [email protected] > > Subject: RE: Centralizing Event Viewer Logs > > Thanks for all the quick input folks. I will definitely look into each > solution. > > > -Ron > > -----Original Message----- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 29, 2008 12:24 PM > To: Ron Johnson - Adhost > Cc: [email protected] > Subject: Re: Centralizing Event Viewer Logs > > There are several alternatives, but I've settled on the Kiwisoft > syslog server (the free version is fine, but the pay version is cheap > and does some very nice extra things) and the IntersectAlliance Snare > syslog client. The Snare client takes each event entry, formats it to > a single line, then sends it to the syslog server. Install it on each > of your machines for which you are monitoring event logs, and it works > nicely. > > On Jan 29, 2008 11:51 AM, Ron Johnson - Adhost <[EMAIL PROTECTED]> wrote: > > Hello List: > > > > I was looking into options that will allow us to centralize Event > Viewer > > Logs in an Active Directory domain - can anyone recommend any software > > for this? It would be great if we could find a piece of software that > > does just this - not a full blown enterprise security solution that > > cost$ and does many other things that we wouldn't use it for > > necessarily. > > > > Thanks! > > > > __________ NOD32 2232 (20070430) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > -- Kosala -------------------------------------------- Disclaimer: Views expressed in this mail are my personal views and they would not reflect views of the employer. -------------------------------------------- blog.kosala.net www.linux.lk/~kosala/ www.kosala.net
