Managing log files is a vital part of network administration. The syslog utility, which comes standard with every Linux distribution, offers the ability to log both to local files as well as to a remote system. This capability can be essential if you need to view log files on a compromised machine, particularly if you aren't sure if an attacker has "scrubbed" (or cleaned) the log files to hide evidence.
Setting up syslog to log remotely is simple. On the system for which you want to receive the log entries, configure syslog to start with the -r option, which enables it to receive remote log entries.
For example, on a Mandrake Linux system, edit the /etc/sysconfig/syslog file, and change the SYSLOGD_OPTIONS parameter to the following:SYSLOGD_OPTIONS="-r -m 0"
Next, restart the syslog service. You should also ensure that the firewall on that machine allows access to UDP port 514 from the machines that will be sending it logs.
On the system for which you wish to send log entries, modify the /etc/syslog.conf file, and add something similar to the following at the very bottom:*.info @loghost.mydomain.com
This tells syslog to send all *.info level log entries to the host loghost.mydomain.com. You can change which facilities you wish to remotely log, but *.info is generally sufficient. Restart syslog on this machine as well, and ensure that the firewall allows sending from the local host to the remote machine on UDP port 514.
Log entries from the one host should now appear on the remote host, mixed in with that host's own logs. For instance, your log files may now look like this:Jan 8 13:23:22 loghost fam: connect: Connection refused
Jan 8 13:23:24 remote.mydomain.com su(pam_unix): session closed for user root
As you can see from this snippet of /var/log/messages, syslog logs information for both loghost (the local machine) and remote.mydomain.com (the remote host) to the same file. At this point, install a log-watching utility on the loghost to alert you to any particular issues you would like to monitor (such as failed logins).