One of the things I like most about Linux is that everything going on inside it is being logged. Whether a user logs in through ssh or a new visitor is passing through your website, everything is being logged in detail. However, the events related to the system are logged by a tool called syslog, which should be present on all Linux systems. Unfortunately, if a hacker breaks into your system, the first thing he'll probably try to do is cover all traceable tracks, rendering the logging tool useless. Basically, if the hacker is any good, you won't find any incriminating traces through the log files. You might even have a backdoor installed and not know anything about it. But this is where the syslog's remote reception feature comes in handy. You can set a syslog server on a safe, unused computer that will act as a central logging system for other computers (public computers that are more likely to be targeted) from the local network or even Internet. This way, all computers will immediately send any system-related events to the syslog server, ensuring that your logs will be completely accurate and un-tampered with at all times.
This article will describe in detail how to set up a syslog server for one or more Unix systems, on Fedora Core and Ubuntu/Debian. However, it *should* work for just about any Linux distribution.
Configure the syslog SERVER
I'm sure most, if not all, Linux systems already have syslog installed so I'll skip this step.
- First of all, you'll need to stop the syslog service:
Fedora Core:
root 12699 0.0 0.1 3884 668 pts/0 S+ 10:16 0:00 _ grep syslog
root 12688 0.0 0.1 1692 576 ? Ss 10:12 0:00 syslogd -rm 0
[root:core][~]# kill -9 12688
Fedora Core: - Open /etc/sysconfig/syslog with your favorite text editor - Find the line:
Then add this line (or lines) to rc.local so it will be executed every time the system boots.
Configure the CLIENT computers
- The client computers are configured to send any logged event to the syslog server, immediately as the events occur. To do this, edit the file /etc/syslog.conf on every client computer and add this line AT THE TOP of the file:
- Next, restart the syslog on every client you've edited:
# or
/etc/init.d/sysklogd
# or
/etc/rc.d/rc.syslog restart
# or
ps axfu | grep syslog
kill -9 PID
syslogd
This is it. If everything was done correctly, you should start receiving log events to the syslog server. To view them, run:
(CTRL + C to escape)
tail -f /var/log/secure
(CTRL + C to escape)