Hi Robin, Consider using Syslog over TCP (+ TLS if you can't trust the network - can we? :-) rsyslog has a nice feature to queue your events when the central rsyslog is not available.
Alternatively, you can use Splunk in distributed mode: collect locally and send to a central Splunk server (http://blog.rootshell.be/2012/12/22/howto-distributed-splunk-architecture/) (Splunk may become expensive if >500MB of data processed per day) /x -- Can't sleep, hackers will eat me! PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D006FD51AD7F2C On 07 Jan 2013, at 00:30, Robin Wood <[email protected]> wrote: > On 6 January 2013 21:54, Doug Burks <[email protected]> wrote: >> Hi Robin, >> >> One option would be to install Security Onion and enable ELSA. You'll >> automatically get syslog-ng and a nice web interface to hunt through your >> logs. > > I might do that as the server side, just need to figure out how to get > various machines to send all their stuff to it. > > Robin > >> Thanks, >> Doug >> >> >> On Sunday, January 6, 2013, Robin Wood wrote: >>> >>> Hi >>> I'm going to be setting up a syslog server for the first time next week, >>> can anyone recommended any good guides? >>> >>> I know there are quite a few out there but want a good, tested, one. >>> >>> Robin >> >> >> >> -- >> Doug Burks >> http://securityonion.blogspot.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
