Good day everyone In my battles to centralize my PF and other logs with a secure means I have decided to dump syslog because well, it couldn't handle the data loads without dropping data and I can't be loosing logs.
I also don't want to install 3rd party software on my systems where possible as I want them to do only what is needed while limiting risks This being said, I have taken a little differnt approach and could use some advice so here goes. I created a file that has the following info and made it executable to root and the wheel group and no access to everyone. This file sits in /usr/local/bin with the name logkick #!/bin/sh # this file is used to roll over the PFLog file to a new file so that # it can be transfered to the Corporate log server every hour DATE=$(date +%d%m%y%H) HOSTNM=$(hostname) sudo mv /var/log/pflog /var/log/pflog-$DATE$HOSTNM chmod 660 /var/log/pflog-$DATE$HOSTNM touch /var/log/pflog sudo kill -HUP `cat /var/run/pflogd.pid` I have created an account on my firewalls and logging system which is in the sudoers file with ability to do all with nopassword being prompted for (probably risky but this is why I'm asking for feedback). This user is also part of the wheel group On, my logging system, I created a script in the users home folder called loggrab. this is mod 700 ssh [EMAIL PROTECTED] /usr/local/bin/./logkick scp [EMAIL PROTECTED]:/var/log/pflog-* /home/USERNAME/ ssh [EMAIL PROTECTED] rm /var/log/pflog-* I have created a public/private key pair as to make sure the ssh and scp connections can happen securely and without password prompts. This is as far as I have gotten thus far, but I do plan to add an hourly cron job to run this script Can you offer me advice on my risk levels for this.. I am using a crazy 30 character length password with symbols, caps, numbers etc so I think the account is pretty safe. I think the risk here would be if someone hacked this account, they could do anything on my systems, but with a long password like this I think it would be a little tough to accomplish. I am also looking at shutting down SSH unless you tunnel in first and then you can SSH to the server via the internal IP. Anyhow, any suggestions on this would be great as I want to make sure the risks associated with the sudoers process is not to risky and if there is a better way I could do this as in limiting exactly what someone using sudo can do as they only have to HUP the pflogd process as thats the only thing I couldn't get working until I took that step. thanks again James
