[j-nsp] Best practices for syslog configuration

Tyler Christiansen tyler at adap.tv
Wed Jun 25 12:41:21 EDT 2014 

For centralized logging, we let Juniper send everything it has.  Logstash +
ElasticSearch makes searching for everything a breeze, and we don't really
notice much noise as a result.  Custom filters bring interesting data to
our attention, but we also have data that's typically "uninteresting" saved
as well in case it ever becomes interesting.

Having separate configurations for things audits is also useful.  At
previous employers, we would send specific log messages to separate
files/servers for partner use/consumption (unfortunate internal security
compliance audits).

As far as "failed" attempts with an invalid password...well, since RE
filters are in place to prevent access outside of corporate subnets and
known external bastions, it's not an issue for us.  If we wanted that
information, we could just set the filter to log the data...but again, it's
not that important.

I know this doesn't include any configuration snippets (sorry), but we
aren't doing anything fancy with the network equipment.  The fancy stuff
all happens on our logging cluster.

--tc




On Wed, Jun 25, 2014 at 8:33 AM, Richard Hartmann <
richih.mailinglist at gmail.com> wrote:

> Dear all,
>
> Juniper's syslog is arguably strange, by default.
>
> Point in case, with "any warning":
>
> * If I try to log in with an existing user and bad password via ssh, a
> remote syslog message with username and source IP is logged
> * If I try to log in with a non-existing user and any via ssh, _no_
> remote syslog message is generated. I get why you wouldn't want to log
> a fat-fingered password as username, but source IP, or at least the
> attempt, should be logged
> * Every time I log out, inetd feels the need to tell me the return
> code of my sshd process
>
> While we are obviously customizing this, I am sure that there are
> quite sophisticated syslog configurations out there which balance
> verbosity and security which have grown over the years.
>
> Long story short, I would appreciate a sharing of syslog
> configurations, potentially interleaved with a discussion about
> relative merits.
>
>
> Thanks,
> Richard
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 

*Tyler Christiansen | Technical Operations*
tyler <http://adap.tv/>@adap.tv <http://adap.tv/> | www.adap.tv
*m :* 864.346.4095

More information about the juniper-nsp mailing list