If the log files are being generated on the client server via the syslog
facility then the best way is to setup the clients syslog daemon to forward those logs to a seperate host. For example, if I have an internal name syslog.private
which points to the remote server that I want to receive the log entries. I can add the following line to the /etc/syslog.conf
on the client server.
*.* @syslog.private
and then restart the syslog daemon on the client
service syslog reload
This will cause every entry that passes through the clients syslog to be sent across the wire to syslog.private
and if that machine is configured correctly, the entries will be available there as well. In RedHat systems this is controlled by the /etc/sysconfig/syslog
file. Make sure the -r
option is present
% grep "SYSLOGD" /etc/sysconfig/syslog
SYSLOGD_OPTIONS="-m 0 -r"
and then restart the syslog daemon on the receiving server.
You can also control what is forwarded to the remote server by adding exclusions, see the example below
*.*;mail.none @syslog.private
Which says forward everything to syslog.private
with the exception of anything sent to the mail
facility.
If this solution works out for you, you may consider one of the alternate syslog implementations like rsyslog, or syslog-ng, which provide extra logging and storage options.
I checked out several of the options mentioned on this page, and ended up using something far simpler: swatch.
Those other systems are great for dealing with existing system logs, or with software where you don't have control over the output. I just didn't want to write a bunch of code to do email notifications just yet. So I just created a swatch file like this:
watchfor /./
mail addresses=me\@example.com:other\@example.com,subject=log_alert
And then started it up with
swatch -c send-me-everything.swatch -t /my/app/urgentevents
It's crude, but since I control the logfile output, I don't need anything more complicated yet.
Best Answer
You should use a solucion for log monitoring like OSSEC, it will look on your logs for security information (including login, sudo, etc.) and send you an e-mail when the alert is important.
It's easy to configure and you can raise the alert level for e-mails or include an
alert-by-email
on the specific alert.It can also do configurable active-response, blocking IPs and denying access for a period of time by default.