Posted in Linux Red Hat/CentOS Security

CentOS 5 : sending logs to a central log server

December 29, 2007 - 7 comments

On the log server :

Edit /etc/sysconfig/syslog and change SYSLOGD_OPTIONS to match the following :
SYSLOGD_OPTIONS="-m 0 -r -s example.com"

-r : listen over the network, only necessary for log servers
-s : strip that value out of the logs (client.example.com would become client in the logs)

Restart the service :
# service syslog restart

The server will start listening on UDP/514

Make sure you allow that port in the firewall configuration on the log server

On the “client” (machine sending the logs) :

Edit /etc/syslog.conf and add the following line :
*.* @loghost.example.com

By adding that line and keeping the default config, the logs will be stored on the client machine and sent to the log server as well.

Restart the service :
# service syslog restart

Restart a service (like ntpd.. whatever) and check the log messages appearing on the log server.

Obviously, this post is just a reminder.
Please remember syslog uses UDP, which is an unreliable transport.
During an attack, packets could be dropped and log messages along.
Also there’s no authentication, an attacker could send fake log messages to the log server.
Logs are sent in clear text as well.

Syslog-ng addresses all these issues :
http://www.balabit.com/network-security/syslog-ng/

Comments

Tristan Grimaux

February 16, 2008 - 4:30

How to install syslog-ng in centos??!??!?!?! There is no package at sight… is this possible?!?!?

Sébastien Wains

February 16, 2008 - 11:35

here it is : http://centos.karan.org/el5/extras/testing/i386/RPMS/syslog-ng-2.0.3-1.el5.kb.i386.rpm

Tristan Grimaux

February 18, 2008 - 15:39

No luck… it asks for a libevent package and I don’t want to break anything.

I have installed a CentOS system because I downloaded a pbx distro and it just has it there, but I am a Debian guy and I have a big problem understanding WHAT is CentOS as a whole.

Questions
1) There are very few repos for CentOS, and people tend to install rpm files directly… why is that? Or HOW you manage to keep your systems clean and working?
2) I only added the third party packages (dries, dag, atrpms and the kbs’s) and things seems to be broken. I can’t yum update anymore… are things so fragile with this yum thing?
3) HOW ON EARTH A DISTRO ORIENTED TO ENTERPRISES HASN’T THE syslog-ng ON ITS DEFAULTS REPOS????????

At the beginning I exploded against all centonians, but then I look to their community and I started to respect them… but I’m still puzzled by the way this things…

Sébastien Wains

February 18, 2008 - 22:11

Hi Tristan,

Every questions you raise are legitimate. Coming from Debian, approaching Red Hat/CentOS can be somewhat rough. I can tell you it is a breath of fresh air when you come from CentOS and switch to Debian.

1. exact, you must rely on some third party repositories. With all due respect to the guys maintaining these repo, you can’t trust these packages as much as the ones in Debian repositories. I’ve personally noticed bugs in some packages.
2. I was usually using third party repositories only when needed, if you “yum update” with third parties enabled, you’ll probably break stuff as some packages will take over packages from the base repository.
3. this is why I switched to Debian.. everything is just an “apt-get install” away !

And as to the community, I actually started to feel the opposite a while back, some members can be cocky and obnoxious. Why are they providing “support” on IRC if you’re supposed to know the answer before asking the question.

I guess you’ve downloaded Trixbox. If you want a PBX running on Debian, my company sells a web frontend to Asterisk but it doesn’t come free :-)

Tristan Grimaux

February 19, 2008 - 4:17

I was just about to make my own installation of Asterisk using Debian, but then I checked the various flavors of pbxs and many are CentOS installations. So I thought: there has to be a good reason to use it.

I try to understand, I love to gain new knowledge so I try to understand,

but…

Why a copycat distro? This is the most disgusting thing of all: in order to achieve binary compatibility with RHEL, CentOS sacrifices integrity… it looks like… like WINDOWS!!! OMG!!!!

CentOS operators knows they will break their systems if they need a single stupid thing out of those little repos. It is insane!

Is this real??!??! And it’s really oriented to enterprises? What is a cheap enterprise anyway???? Just to avoid support costs? It’s mad if anything…

I would love to be wrong, sincerely. I will reinstall my pbx ASAP.

Carlos Barbet

June 4, 2008 - 18:44

Enough bashing the CentOS guys. I’ve installed syslog-ng on CentOS 5 many times in the past, granted I agree that it would be more effective if they [and by they I mean RedHat too] included the syslog-ng package as part of the base repository, but I believe it is due to the “semi” free style of syslog-ng that they are not including.

In any event, I have had a complete 180 perspective going from RedHat based systems to Debian. Debian [and Ubuntu by extension], IMHO, is great as a desktop/laptop OS, but can be found wanting as a Server OS. While the RedHat [and CentOS] are wonderful as backroom servers. I hope they stay this way.

Please Debian and Ubuntu developers, push the desktop/laptop envelope and become exceptional at it. Compiz is an Aero killer, just need to fine tune the desktop lockdown features.

Please RedHat and CentOS teams, continue to look for the best open source tools to add to the base repositories. Syslog-ng and OpenNMS for example would be great additions. Also work with the Debian and Ubuntu folks to get the Desktop Management of Linux to surpass that of AD+GPOs.

OpenBSD… My favorite appliance OS, PF beats all other (open source) firewalls hands down (especially when tied into CARP). OBSD also makes a darn great SMTP server, and single use Apache system, etc…

Mike Hanby

August 18, 2009 - 21:55

FYI, syslog-ng is now included in the EPEL repository for RHEL and CentOS.
https://fedoraproject.org/wiki/EPEL

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.