[gentoo-user] Sysloggers

[gentoo-user] Sysloggers

[Alan McKinnon]

Hi,

Does anyone have decent experience with sysloggers other than syslog-ng, and 
be willing to share experiences?

I'm especially interested in some of the advanced features of syslog-ng 
Premium from Balabit.com (based on and extending their open source version):

SSL-encrypted traffic over the network
Disk-based buffering on the client
Windows agents
Timezone aware (which syslog doesn't do and syslog-ng only partially)
Encrypted disk files
Filter, parse and rewrite incoming logs (vital if you need the auth log over 
here and the password field stored over there, without jumping through hoops 
first)
High scalability - 2000 Cisco devices and 200+ servers to start, distributed 
country wide

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Sysloggers

[Mark Shields]

[-- Attachment #1: Type: text/plain, Size: 1066 bytes --]

On Tue, Jun 16, 2009 at 4:49 PM, Alan McKinnon <alan.mckinnon@gmail.com>wrote:

> Hi,
>
> Does anyone have decent experience with sysloggers other than syslog-ng,
> and
> be willing to share experiences?
>
> I'm especially interested in some of the advanced features of syslog-ng
> Premium from Balabit.com (based on and extending their open source
> version):
>
> SSL-encrypted traffic over the network
> Disk-based buffering on the client
> Windows agents
> Timezone aware (which syslog doesn't do and syslog-ng only partially)
> Encrypted disk files
> Filter, parse and rewrite incoming logs (vital if you need the auth log
> over
> here and the password field stored over there, without jumping through
> hoops
> first)
> High scalability - 2000 Cisco devices and 200+ servers to start,
> distributed
> country wide
>
> --
> alan dot mckinnon at gmail dot com
>
>
syslog-ng is the de facto standard.  Metalog is fine for desktops, but I use
syslog-ng on all my servers.  Nearly all programs that can process log files
are compatible with it.

-- 
- Mark Shields

[-- Attachment #2: Type: text/html, Size: 1420 bytes --]

Re: [gentoo-user] Sysloggers

[Dale]

Mark Shields wrote:
> On Tue, Jun 16, 2009 at 4:49 PM, Alan McKinnon
> <alan.mckinnon@gmail.com <mailto:alan.mckinnon@gmail.com>> wrote:
>
>     Hi,
>
>     Does anyone have decent experience with sysloggers other than
>     syslog-ng, and
>     be willing to share experiences?
>
>     I'm especially interested in some of the advanced features of
>     syslog-ng
>     Premium from Balabit.com (based on and extending their open source
>     version):
>
>     SSL-encrypted traffic over the network
>     Disk-based buffering on the client
>     Windows agents
>     Timezone aware (which syslog doesn't do and syslog-ng only partially)
>     Encrypted disk files
>     Filter, parse and rewrite incoming logs (vital if you need the
>     auth log over
>     here and the password field stored over there, without jumping
>     through hoops
>     first)
>     High scalability - 2000 Cisco devices and 200+ servers to start,
>     distributed
>     country wide
>
>     --
>     alan dot mckinnon at gmail dot com
>
>
> syslog-ng is the de facto standard.  Metalog is fine for desktops, but
> I use syslog-ng on all my servers.  Nearly all programs that can
> process log files are compatible with it.
>
> -- 
> - Mark Shields

Same here.  I do wish it would fill my log full of dups tho.  Sometimes
my DVD thinks there is media in there and it is trying to read it when
it is empty.  Since it does this every two seconds, it can create a HUGE
messages file in a hurry.  logrotate helps with this but still, no need
doing the same line hundreds of thousands of times.

Dale

:-)  :-) 

P. S.  Now some guru tell me that it can be told not to do that.  :/

Re: [gentoo-user] Sysloggers

[Alan McKinnon]

On Wednesday 17 June 2009 16:33:39 Mark Shields wrote:
> On Tue, Jun 16, 2009 at 4:49 PM, Alan McKinnon 
<alan.mckinnon@gmail.com>wrote:
> > Hi,
> >
> > Does anyone have decent experience with sysloggers other than syslog-ng,
> > and
> > be willing to share experiences?
> >
> > I'm especially interested in some of the advanced features of syslog-ng
> > Premium from Balabit.com (based on and extending their open source
> > version):
> >
> > SSL-encrypted traffic over the network
> > Disk-based buffering on the client
> > Windows agents
> > Timezone aware (which syslog doesn't do and syslog-ng only partially)
> > Encrypted disk files
> > Filter, parse and rewrite incoming logs (vital if you need the auth log
> > over
> > here and the password field stored over there, without jumping through
> > hoops
> > first)
> > High scalability - 2000 Cisco devices and 200+ servers to start,
> > distributed
> > country wide
> >
> > --
> > alan dot mckinnon at gmail dot com
>
> syslog-ng is the de facto standard.  Metalog is fine for desktops, but I
> use syslog-ng on all my servers.  Nearly all programs that can process log
> files are compatible with it.

I can't argue with that. I just get a little paranoid about auth logs being 
sent (with credentials) over partially-open networks, hence the attraction of 
encrypted traffic


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Sysloggers

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 397 bytes --]

On Wed, 17 Jun 2009 23:31:24 +0200, Alan McKinnon wrote:

> I can't argue with that. I just get a little paranoid about auth logs
> being sent (with credentials) over partially-open networks, hence the
> attraction of encrypted traffic

What about using an SSH tunnel?


-- 
Neil Bothwick

If Wile E. Coyote had enough money to buy all that ACME crap, why didn't
he just buy dinner?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Sysloggers

[Alan McKinnon]

On Wednesday 17 June 2009 23:48:38 Neil Bothwick wrote:
> On Wed, 17 Jun 2009 23:31:24 +0200, Alan McKinnon wrote:
> > I can't argue with that. I just get a little paranoid about auth logs
> > being sent (with credentials) over partially-open networks, hence the
> > attraction of encrypted traffic
>
> What about using an SSH tunnel?

I thought about that - people other than me set up most of the machines and 
this may or may not be easy for them to do in practice. I'm sure you've seen 
how easy it is for otherwise smart people to royally screw up anything with 
ssh in it's name...

Just keeping my options open, maybe there's something better suited to what I 
need than vanilla syslog-ng

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Sysloggers

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1478 bytes --]

On Wednesday 17 June 2009, Alan McKinnon wrote:
> On Wednesday 17 June 2009 23:48:38 Neil Bothwick wrote:
> > On Wed, 17 Jun 2009 23:31:24 +0200, Alan McKinnon wrote:
> > > I can't argue with that. I just get a little paranoid about auth logs
> > > being sent (with credentials) over partially-open networks, hence the
> > > attraction of encrypted traffic
> >
> > What about using an SSH tunnel?
>
> I thought about that - people other than me set up most of the machines and
> this may or may not be easy for them to do in practice. I'm sure you've
> seen how easy it is for otherwise smart people to royally screw up anything
> with ssh in it's name...
>
> Just keeping my options open, maybe there's something better suited to what
> I need than vanilla syslog-ng

Perhaps rsyslog?

http://www.rsyslog.com
========================================
  "Among others, it offers support for on-demand disk buffering, reliable 
syslog over TCP, SSL, TLS and RELP, writing to databases (MySQL, PostgreSQL, 
Oracle, and many more), email alerting, fully configurable output formats 
(including high-precision timestamps), the ability to filter on any part of 
the syslog message, on-the-wire message compression, and the ability to 
convert text files to syslog. It is a drop-in replacement for stock syslogd 
and able to work with the same configuration file syntax."
========================================

It's in portage.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: Sysloggers

[Harry Putnam]

Mick <michaelkintzios@gmail.com> writes:

> Perhaps rsyslog?
>
> http://www.rsyslog.com
> ========================================
>   "Among others, it offers support for on-demand disk buffering, reliable 
> syslog over TCP, SSL, TLS and RELP, writing to databases (MySQL, PostgreSQL, 
> Oracle, and many more), email alerting, fully configurable output formats 
> (including high-precision timestamps), the ability to filter on any part of 
> the syslog message, on-the-wire message compression, and the ability to 
> convert text files to syslog. It is a drop-in replacement for stock syslogd 
> and able to work with the same configuration file syntax."
> ========================================
>
> It's in portage.

And I can say as an rsyslog user...of some mnths, that even if you
don't need all those refinements, for just basic use it just like
syslog and doesn't require learning yet another config syntax like
syslog-ng does.