Configuring your system logs to forward to IT Security

UNIX syslog:

- For an overview, here’s a pretty good FAQ: http://cleveland.lug.net/syslog.html

- For specific information regarding your particular flavor of Linux/Unix, check with your vendor or for a quick look: http://bhami.com/rosetta.html.

ITS has 4 log servers installed on the network, one for each zone. What collection server you will forward your logs to depends on the security zone your server is in:

Zone 10 -> syslog.zone10.uth.tmc.edu
Zone 20 -> syslog.zone20.uth.tmc.edu
Zone 40 -> syslog.zone40.uth.tmc.edu
Zone 100 -> syslog.zone100.uth.tmc.edu

ITS wants all *.warning messages - in other words, any facility or * with a severity of warning or higher. So if your server is in zone 10, you would edit your /etc/syslog.conf file and add the following line:

*.warning <Tab><Tab> @syslog.zone10.uth.tmc.edu
(best practice is to use tabs instead of spaces when editing your syslog.conf file)

Restart syslog:
On Solaris--/etc/init.d/syslog stop ; /etc/init.d/syslog start
On BSD--kill –SIGHUP ‘cat /var/run/syslog.pid’
On Linux--/etc/rc.d/init.d/syslog restart

Window Event Viewer:

Since ITS’ collection servers are running native syslog, to configure Windows Event Logs to send to them you will need to install a 3rd party syslog daemon.
Some examples are:
Snare (freeware): http://www.intersectalliance.com/projects/SnareWindows/index.html
EventReporter (commercial): http://www.eventreporter.com/en/
Ntsyslog (freeware): http://ntsyslog.sourceforge.net/

ITS has 4 log servers installed on the network, one for each zone. What collection server you will forward your logs to depends on the security zone your server is in:

Zone 10 -> syslog.zone10.uth.tmc.edu
Zone 20 -> syslog.zone20.uth.tmc.edu
Zone 40 -> syslog.zone40.uth.tmc.edu
Zone 100 -> syslog.zone100.uth.tmc.edu

Cisco Router:

Routers can be configured to redirect messages with the command: logging loghost_host_name. The command show logging will display the current configuration.