A linux machine has a logging system which keeps track of what everything is doing. Anytime you authorize with sudo it gets logged. Anytime you (or someone else) connects via ssh it gets logged. Apache logs connections, mail servers log emails sent and refused. Pretty much everything keeps a log of what it is doing so you can later troubleshoot it or simply have a record of it.For those that are security minded it may not be a bad idea to keep duplicate of your logs by sending them not only to the local machine but to a remote machine as well. This way, even if an attacker is able to get into the first machine his steps are logged remotely before he is able to clear them on the local machine. This, of course, has a number of other valuable uses. In any event, here are a few quick steps to set it up.
/etc/syslog.conf
This file is the main “what gets logged and where” file for your system. If you take a look at it you’ll see that it takes different types of logs and writes them to the appropriate files. Mail here. Cron there. etc. We can easily tell the system to send the logs elsewhere with the following:
*.* @192.168.0.5 (replace with your log-server IP)
This will send *everything* to the remote machine to be filed in the appropriate place.
or
*.level | level.* @192.168.0.5 (replace, again, with your log-server IP)
This will send just the appropriate log type (just mail, cron, etc) to the remote server. Follow the same syntax seen in the existing file to go this route.
/etc/default/syslogd
This file is the system logging daemon configuration. This is where we’ll tell the remote machine to listen for and accept logs. As you see from one of the comments you simply need to add the “-r” to the SYSLOGD=”" field. Example:
SYSLOGD="-r"
Once you have made these changes both on the local (/etc/syslog.conf) and on the remote (/etc/default/syslogd) you’ll need to restart those services with the following command:
sudo /etc/init.d/sysklogd restart
At this point you should be able to view the logs on the remote machine (perhaps using “tail -f /var/log/[logfile]“) and see logs identified from another hostname. Ohh, and you can send *.* from A to B and *.* from B to A and it wont cause an endless loop. This way both machines have backups.
If this site has been useful, please consider participating in the Fundraiser.
