LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   What are you logging on a syslog server? (https://www.linuxquestions.org/questions/linux-enterprise-47/what-are-you-logging-on-a-syslog-server-4175586365/)

JockVSJock 08-05-2016 12:08 PM
What are you logging on a syslog server?
 
Have a RHEL server where all Oracle databases place the .aud and .dmp files their on a daily basis for safe keeping/audit.

I would like to expand what is backed up/audited to this server and was wondering what others have logged to a syslog server?

thanks

ihaveavirus 08-08-2016 09:48 AM
At the bare minimum you should log:

logins, sudo, messages, and SELinux violations

If you want to get a little more advanced I suggest looking into AIDE, since it will let you know when just about anything changes on your server including config files, new users, etc. I don't know how well it scales, since we're using it but haven't integrated it into our logging server since we're working on moving away from Spunk to ELK stack.

JockVSJock 08-08-2016 11:44 AM
Thanks for the response.

Right now I have all of my RHEL servers using rsyslog reporting back to this logging server. I will have research on how to setup to log what you recommend, or maybe rsyslog can be setup for this.

Splunk and Elastic Search was recommended by others to review the logs.

ihaveavirus 08-08-2016 12:28 PM
You are very welcome. If you're in a DoD environment you're going to have to install AIDE anyways, so you may as well become familiar with it:

https://access.redhat.com/solutions/55021

http://aide.sourceforge.net/

You can definitely increase the output from rsyslog and fine tune to get specific messages. Also, when you start getting into logging, remember that space will be utilized very quickly, so its not a good idea to just "fire and forget". Logging servers require continuous maintenance and fine tuning to get the results you need for any given requirements.

JockVSJock 08-10-2016 01:51 PM
AIDE, is something I want to look into as well. However we have Varonis installed, so I'm wondering if I will need both?

The reason I ask is because of the external audits that we have from time to time. I want to set something up in advance, that way when the day comes, I can show the auditors that yes I am auditing various events on the servers.

thanks

Habitual 08-11-2016 07:11 AM
Oracle transaction logs?

JockVSJock 08-11-2016 07:47 AM
Quote:
Originally Posted by Habitual (Post 5589359)
Oracle transaction logs?
Correct, Oracle transactions logs cannot be left on the Oracle Server which generated them. Has to be stored elsewhere, encrypted.

ihaveavirus 08-11-2016 10:04 AM
Ooo..Varonis looks like a neat utility and is definitely more advanced than AIDE. AIDE monitors for integrity, but it doesn't actively notify you or prevent any data loss or data exfiltration; you have to manually review the data.


All times are GMT -5. The time now is 08:15 PM.