Hi,

I am in the proccess of centerlizing all the logs of my 70 linux boxes to one syslog server.

I want to forward just security related issus to the central server. how I filter alerts to be send?

is there a posibility to so this?

Also iin syslog.conf I see this line:

# Everybody gets emergency messages
*.emerg @loghost

my question is how I know what is configured as *.emerg ? do I have an option to configure this?

thanks very much !

syslog entries are in 3 parts
facility priority and where the log goes

auth.info logs auth at the prority info and higher
auth.=info logs just the priority info

you can send the data to a users terminal like such
kern.* joe
That logs any kernel messages to joes terminal
kern.* /var/log/kernlog sends to a file
kern.* @sunbox sends the log messages to a host box named sunbox

sending logs to another machine uses port 514 or 601 I forget which, but looking in the /etc/services file shud tell you.
That port must be open of course on the reciving end.

I suggest ya take a look and d/l webmin from webmin.com it is a nice gui web based tool for admin and allows easy configuration of the /etc/syslog.conf file

Any changes to the conf does require restarting of the syslogd daemon

I want to log all the security related issuss suxh as authentication ( password entring errors , change of file permmisions and etc) to ve send to another syslog server. do u know who can I do it ?

I know webmin but I really dont want to use it beacuse I will need to open other ports on the production linux servers....


thanks.

The easiest way would be to look at the logs you have now and determine which logs have the info in them that you want to centralize. Then point these facilities to the syslog server by replacing the logfile with @sys.log.ip