lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 19 Feb 2008 13:04:17 -0500
From: Valdis.Kletnieks@...edu
To: shadow floating <nadengine@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: network management

On Tue, 19 Feb 2008 18:26:06 +0200, shadow floating said:
> Hi all,
> is it appropriate from security point of view to have one server in
> which syslog is installed to collect logs from all network devices

In general, yes.  That way, even if a box is compromised and the attacker
manages to wipe the local copy of the logs, you still have another copy
elsewhere.

It's even *more* useful for the  more common case - a machine is starting to
go unstable, logging on the fly to both local disk and a remote machine. It
finally belly-ups, and the last bit of logs on the local end aren't flushed
to disk.   However, you still have a captured copy on the syslog server
where you can figure out why the machine died.

> network devices?, if yes, does any one recommed certain specs for this
> machine or it can be an ordinary machine with 1 GB of memory and 512
> GB hard disk and 3.2 GHz processor.

This is entirely dependent on local configuration issues - how many devices you
have, what level of logging you do (just critical messages, or everything from
debug on up), and what (if any) log retention requirements you have. If you
have 30 systems, only log critical messages that pop out once every hour or so,
and only keep 30 days worth, an old Pentium-II with a 300 meg hard drive will
be enough.  If your network infrastructure includes 1,100 switches, 1,300
wireless access points, several hundred servers, and you have legal
requirements to keep stuff for 3 years, you'll want something a bit beefier. I
*can* say that a box with 4 2.8gz Xeons and 2G of RAM running syslog-ng can
handle 800 msgs/sec without even breaking a sweat, and stress tests indicate
that 4K/sec is easily doable.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ