Edit /etc/syslog.conf. Add or correct the line:

*.*                        @loghost.example.com
Where loghost.example.com is the name of your central log server.

It is particularly important that logs be stored on the local host in addition to being sent to the loghost, because syslogd uses the UDP protocol to send messages over a network. UDP does not guarantee reliable delivery, and moderately busy sites will lose log messages occasionally, especially in periods of high traffic which may be the result of an attack. In addition, remote syslogd messages are not authenticated, so it is easy for an attacker to introduce spurious messages to the central log server. Also, some problems cause loss of network connectivity,which will prevent the sending of messages to the central server. For all of these reasons, it is better to store log messages both centrally and on each host, so that they can be correlated if necessary.

Suggested Posts:

Leave a Reply