What are you logging on a syslog server?
Have a RHEL server where all Oracle databases place the .aud and .dmp files their on a daily basis for safe keeping/audit.
I would like to expand what is backed up/audited to this server and was wondering what others have logged to a syslog server? thanks |
At the bare minimum you should log:
logins, sudo, messages, and SELinux violations If you want to get a little more advanced I suggest looking into AIDE, since it will let you know when just about anything changes on your server including config files, new users, etc. I don't know how well it scales, since we're using it but haven't integrated it into our logging server since we're working on moving away from Spunk to ELK stack. |
Thanks for the response.
Right now I have all of my RHEL servers using rsyslog reporting back to this logging server. I will have research on how to setup to log what you recommend, or maybe rsyslog can be setup for this. Splunk and Elastic Search was recommended by others to review the logs. |
You are very welcome. If you're in a DoD environment you're going to have to install AIDE anyways, so you may as well become familiar with it:
https://access.redhat.com/solutions/55021 http://aide.sourceforge.net/ You can definitely increase the output from rsyslog and fine tune to get specific messages. Also, when you start getting into logging, remember that space will be utilized very quickly, so its not a good idea to just "fire and forget". Logging servers require continuous maintenance and fine tuning to get the results you need for any given requirements. |
AIDE, is something I want to look into as well. However we have Varonis installed, so I'm wondering if I will need both?
The reason I ask is because of the external audits that we have from time to time. I want to set something up in advance, that way when the day comes, I can show the auditors that yes I am auditing various events on the servers. thanks |
Oracle transaction logs?
|
Quote:
|
Ooo..Varonis looks like a neat utility and is definitely more advanced than AIDE. AIDE monitors for integrity, but it doesn't actively notify you or prevent any data loss or data exfiltration; you have to manually review the data.
|
All times are GMT -5. The time now is 08:15 PM. |