[c-nsp] Providing 3rd party access to logs (syslog)

Gregori Parker Gregori.Parker at theplatform.com
Thu Aug 16 14:18:59 EDT 2007 

I just went through a similar scenario, so I'll offer up the solution I
put in place.

All of our syslogs were initially being received by an instance of Kiwi
syslog daemon; not stored permanently, just emailed/SMSed on certain
events.  We suddenly ran into the need to make the messages permanent
and searchable by other personnel with varying degrees of access, and
needed an immediate solution that required as little reconfiguration as
possible.  So, I grabbed an underutilized linux server, configured
syslog-ng to receive syslogs and inject them into mysql, then threw
php-syslog-ng on that server as a web front-end for it all.  Then I
configured Kiwi to relay anything level notify or above to the linux
server..problem solved.  Not the most elegant solution, but it was quick
and didn't require any reconfiguration of devices or swapping around of
servers.  Plus, it provided search capabilities by
facility/device/time/level/host/message/etc.  From there, you're just
dealing with making that web page accessible to the third party.

If I had to do it from scratch, I'd eliminate the middle-man
(Kiwi/Windows) and implement some log rotation so that the database
remains optimized.  Oh, and if you decide to use the php-syslog-ng,
search for the "enhanced" version that's more current (the one by the
original name stopped being updated years ago).  Hope that helps --
Gregori



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dale Shaw
Sent: Thursday, August 16, 2007 12:32 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Providing 3rd party access to logs (syslog)

Hi all,

This may be a bit off topic, but I figure the cisco-nsp brains trust
will have "been there, done that" already.

Has anyone had a requirement to provide 3rd parties with access to log
files? I have a requirement to provide access to firewall log files
(syslogged) to a security group within an enterprise.

Logs held on the logging server will be sorted into a directory
hierarchy based on the logging device's name, year, date, day and then
severity (or something similar). They will likely be compressed.

I figure this could be as simple as setting up a web server on the log
server and enabling directory listings / browsing on the virtual
directories.

Has anyone come across a "nicer" solution? Perhaps something that
provides (for example) search capabilities and results filtering, and
real time log watching (ala "tail") through a web interface?

The log server OS has not been decided yet. It's likely to be Linux or
Windows Server.

cheers,
Dale
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list