How do I write my servers log files to a remote server or repository?

Support for security such as Firewalls and securing linux
Post Reply
bdainis
Posts: 28
Joined: 2012/04/18 00:02:24
Contact:

How do I write my servers log files to a remote server or repository?

Post by bdainis » 2012/06/15 23:01:05

I have a few CentOS servers that host a bunch of websites. I would like to setup up all my production servers to write their log files to a remote VPS whose only purpose is to collect log files from all my servers.

I want it to be done securely through SSH or something and also in live time.

The reason I want to do this is to prevent intruders from tampering with the logs in the event of an intrusion.

I did some Googling on the topic and the keywords I used must have triggered the wrong results because I was finding mostly articles about how to log in remotely to CentOS Desktop which I do not have on my machines nor do I care to have it.

Does anybody have any ideas on how to accomplish this?

DaemonProgrammr
Posts: 78
Joined: 2011/12/12 12:49:46

Re: How do I write my servers log files to a remote server or repository?

Post by DaemonProgrammr » 2012/06/18 10:32:29

You might want to look into 'scp'. This is a File transfer utility that sends the files over SSH.

To automate the process, research authentication with certificates, instead of username / password.

User avatar
jlehtone
Posts: 3259
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How do I write my servers log files to a remote server or repository?

Post by jlehtone » 2012/06/18 10:51:31

Automatic 'scp' implies that the webhost has something that can authenticate to the loghost. That sounds eerie.

'rsyslogd', the system logger, can send data to remote rsyslogd. That is clearly "append-only" style copy -- much more limited than scp. Use of rsyslogd requires that the web server processes can log via system logger instead of direct file writes.

I would consider VPN other than ssh to encrypt the traffic. How about raw IpSec? The firewall of loghost should obviously allow only the rsyslogd connections from the web hosts.

bdainis
Posts: 28
Joined: 2012/04/18 00:02:24
Contact:

Re: How do I write my servers log files to a remote server or repository?

Post by bdainis » 2012/06/18 16:59:31

Thank you for the replies. I did a bit more digging and found these two resources.

http://www.rsyslog.com/doc/rsyslog_conf_actions.html

http://kb.monitorware.com/remote-logging-on-redhat-with-rsyslog-t1706.html

What do you think of the info they posted there?

I have used SCP to manage files in a GUI interface before, but never used it in an application like this.

I'm still kind of confused on where to start. Is there a configuration file on CentOS to connect rsyslogd to another remote host and write logs that way?

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

How do I write my servers log files to a remote server or re

Post by unspawn » 2012/06/21 05:50:17

[quote]jlehtone wrote:
Automatic 'scp' implies that the webhost has something that can authenticate to the loghost. That sounds eerie.[/quote]
I agree and it's not necessary.


[quote]jlehtone wrote:
Use of rsyslogd requires that the web server processes can log via system logger instead of direct file writes.[/quote]
Rsyslog can read in contents from plain log files as well.


[quote]
bdainis wrote:
Is there a configuration file on CentOS to connect rsyslogd to another remote host and write logs that way?[/quote]
For this rsyslog works like "old syslog", see "man rsyslog.conf" and look for "Remote machine" under the "ACTIONS" header: [i]*.* @[remote_machine_IP][/i] or [i]*.* :omrelp:[remote_machine_IP]:[remote_port][/i]. Note you should first ensure syslog daemons on both sides run correctly, then on the receiving side add the right transport (like "$ModLoad imudp" for standard reception on UDP/514 ), set up rules to process remote messages (probably to separate log files) before local rules and ensure the firewall on both sides allow Syslog traffic [i]between specific host addresses[/i] (don't just open up port UDP/514 to everyone).

Post Reply

Return to “CentOS 6 - Security Support”