Hi folks, My stack of trusty FreeBSD servers always seems to be growing, and it's getting to the point where the daily and security output mail is too much to make good use of. I'm looking for suggestions for log monitoring and aggregation tools, especially from a monitoring-for-security perspective. If I had to imagine an ideal system, it would be a central server that securely collects syslog messages from all my servers, indexes them by server and severity, and gives a reasonable management interface. Given expressions based on facility, severity, log message, and the like, it could throw away useless messages, or page me for critical ones. This would tie into AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different flavors of IDS. It could even warn me when processes run away with the CPU or RAM, or disks get too full. I've found a variety of things that almost do this. Nagios is good at paging for service failures, disk full warnings, and that sort of thing, but it doesn't seem well-suited for aggregating log messages. The Prelude IDS seems to have some kind of console, as does Samhain, but I want to try to avoid having different interfaces for each service type. I realize this is something that could be had using IPSec-protected remote logging with some greps and interface stuff bolted on, but if there's a ready-made tool, it'd save me a fair bit of implementation time. What kind of things are other security-minded admins using to stay on top of all the logs? Thanks, Mark
Mark Johnston wrote:> If I had to imagine an ideal system, it would be a central server that > securely collects syslog messages from all my servers, indexes them by server > and severity, and gives a reasonable management interface. Given expressions > based on facility, severity, log message, and the like, it could throw away > useless messages, or page me for critical ones. This would tie into > AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different > flavors of IDS. It could even warn me when processes run away with the CPU > or RAM, or disks get too full.Consider Big Brother from www.bb4.com. It monitors processes, ports, disk space, load average, looks for interesting stuff in the system logfile, and has a central web-based dashboard with historical logs. [ Slightly off-topic for freebsd-security, moving to -questions. ] -- -Chuck
Mark Johnston wrote:> Hi folks, > > My stack of trusty FreeBSD servers always seems to be growing, and it's > getting to the point where the daily and security output mail is too much to > make good use of. I'm looking for suggestions for log monitoring and > aggregation tools, especially from a monitoring-for-security perspective.A project started about a year ago to do just this. Did in the archives of the freebsd mailing lists for it.. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology I have seen the future and it is just like the present, only longer. ------------------------------------------------------------------------
Mark Johnston <mjohnston@skyweb.ca> writes:> Hi folks, > > My stack of trusty FreeBSD servers always seems to be growing, and it's > getting to the point where the daily and security output mail is too much to > make good use of. I'm looking for suggestions for log monitoring and > aggregation tools, especially from a monitoring-for-security perspective. > > If I had to imagine an ideal system, it would be a central server that > securely collects syslog messages from all my servers, indexes them by server > and severity, and gives a reasonable management interface. Given expressions > based on facility, severity, log message, and the like, it could throw away > useless messages, or page me for critical ones. This would tie into > AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different > flavors of IDS. It could even warn me when processes run away with the CPU > or RAM, or disks get too full. > > I've found a variety of things that almost do this. Nagios is good at paging > for service failures, disk full warnings, and that sort of thing, but it > doesn't seem well-suited for aggregating log messages. The Prelude IDS seems > to have some kind of console, as does Samhain, but I want to try to avoid > having different interfaces for each service type. > > I realize this is something that could be had using IPSec-protected remote > logging with some greps and interface stuff bolted on, but if there's a > ready-made tool, it'd save me a fair bit of implementation time. What kind > of things are other security-minded admins using to stay on top of all the > logs?syslog-ng is useful for separating incoming log entries by server, facility and priority. I'd start with that. You could then use something like logwatch or logcheck to mail you or trigger a nagios warning on strange log lines. -- Ted Cabeen http://www.pobox.com/~secabeen ted@cabeen.org Check Website or Keyserver for PGP/GPG Key BA0349D2 ted@impulse.net "I have taken all knowledge to be my province." -F. Bacon secabeen@pobox.com "Human kind cannot bear very much reality."-T.S.Eliot secabeen@gmail.com