On Tue, 19 Feb 2008 18:26:06 +0200, shadow floating said: > Hi all, > is it appropriate from security point of view to have one server in > which syslog is installed to collect logs from all network devices In general, yes. That way, even if a box is compromised and the attacker manages to wipe the local copy of the logs, you still have another copy elsewhere. It's even *more* useful for the more common case - a machine is starting to go unstable, logging on the fly to both local disk and a remote machine. It finally belly-ups, and the last bit of logs on the local end aren't flushed to disk. However, you still have a captured copy on the syslog server where you can figure out why the machine died. > network devices?, if yes, does any one recommed certain specs for this > machine or it can be an ordinary machine with 1 GB of memory and 512 > GB hard disk and 3.2 GHz processor. This is entirely dependent on local configuration issues - how many devices you have, what level of logging you do (just critical messages, or everything from debug on up), and what (if any) log retention requirements you have. If you have 30 systems, only log critical messages that pop out once every hour or so, and only keep 30 days worth, an old Pentium-II with a 300 meg hard drive will be enough. If your network infrastructure includes 1,100 switches, 1,300 wireless access points, several hundred servers, and you have legal requirements to keep stuff for 3 years, you'll want something a bit beefier. I *can* say that a box with 4 2.8gz Xeons and 2G of RAM running syslog-ng can handle 800 msgs/sec without even breaking a sweat, and stress tests indicate that 4K/sec is easily doable.
Attachment:
pgpHaM0xjhCyP.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/