You can install syslog-ng and configure the /etc/syslog-ng.conf file to just accept all syslog traffic. you can easily separate out logs for each host (and more, can get granular) by setting up filters. Essentially syslog-ng.conf is composed of "destination" which is where you want the log files to go, a "filter" that parses the incoming syslog messages and places it in the right log file, and then the "log paths" which is basically "source"(udp); "filter"(host); "destination"(log files)
Install it and open the conf file, pretty straightforward and easy. Edit logrotate.conf as well. here are some quick articles and a forum that go over the basics to get it up and running http://sudonetworks.com/wiki/index.php?title=Syslog-ng_for_IP_Networks http://blog.monitis.com/index.php/2011/08/28/getting-started-with-syslog-ng/ http://blog.monitis.com/index.php/2011/08/31/how-to-filter-logs-with-syslog-ng/ http://www.syslog.org/forum/syslog-ng/ On Mon, Jan 7, 2013 at 10:58 AM, Robin Wood <[email protected]> wrote: > On 7 January 2013 15:18, Ralph Durkee <[email protected]> wrote: >> You haven't given much background on why you want a syslog server. But you >> may want to consider if something like OSSEC.net would be a better and more >> complete solution. It's multi platform host based IPS with centralized >> monitoring. Open source as well! > > Unfortunately I can't give to much away as it is part of a commercial > project, at the moment they just want me to evaluate how easy it is to > set up and the gain an idea of how much data is generated each day. > > I'll have a look at OSSEC as well but I think from what I've been told > that a simple syslog server with Snare to grab logs from Windows will > do what they want. > > Robin > >> -- Ralph Durkee >> >> Xavier Mertens <[email protected]> wrote: >>> >>> Hi Robin, >>> >>> Consider using Syslog over TCP (+ TLS if you can't trust the network - can >>> we? :-) >>> rsyslog has a nice feature to queue your events when the central rsyslog >>> is not available. >>> >>> Alternatively, you can use Splunk in distributed mode: collect locally and >>> send to a central Splunk server >>> >>> (http://blog.rootshell.be/2012/12/22/howto-distributed-splunk-architecture/) >>> >>> (Splunk may become expensive if >500MB of data processed per day) >>> >>> /x >>> >>> -- >>> Can't sleep, hackers will eat me! >>> PGP Key: >>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D006FD51AD7F2C >>> >>> On 07 Jan 2013, at 00:30, Robin Wood <[email protected]> wrote! >>> : >>> >>>> On 6 January 2013 21:54, Doug Burks <[email protected]> wrote: >>>>> >>>>> Hi Robin, >>>>> >>>>> One option would be to install Security Onion and enable ELSA. You'll >>>>> automatically get syslog-ng and a nice web interface to hunt through >>>>> your >>>>> logs. >>>> >>>> >>>> I might do that as the server side, just need to figure out how to get >>>> various machines to send all their stuff to it. >>>> >>>> Robin >>>> >>>>> Thanks, >>>>> Doug >>>>> >>>>> >>>>> On Sunday, January 6, 2013, Robin Wood wrote: >>>>> >>>>>> Hi >>>>>> I'm going to be setting up a syslog server for the first time next >>>>>> week, >>>>>> can anyone recommended any good guides? >>>>>> >>>>>> I know there are quite a few out there but want a good, tested, one. >>>>>> >>>>>> Robin >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Doug Burks >>>>> http://securityonion.blogspot.com >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>> >>>> ________________________________ >>>> >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> >>> >>> ________________________________ >>> >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
