Mainly because I’ve had a few issues where messages have been getting lost that have been very hard to track down (I’ve spent over a week on it). I’m going to be moving away from papertrail toward strategy two. It was the path of least resistance / quickest to setup. You can see by the detail that I went down the path of the first one initially. pfSense RouterĬan send log events, but only by UDP by the look of it.įollowing are the two strategies that emerged. Recent versions can send their syslog events to a syslog server. With some work, it looks like FreeNAS can be setup to act as a syslog server. The network is down for example.Ī couple of servers in the mix: FreeNAS File Server Receive notifications from the upstream syslog server of lack of events.No HIDS is going to remove the need to reinstall your system if you are not notified in time and an attacker plants and activates their root-kit. Receive notifications from the upstream syslog server of specific events.Extensibility: ability to add more machines and be able to aggregate events from many sources on many machines.Reliability (resilience / ability to recover connectivity).Record events and have them securely transferred to another syslog server in real-time, or as close to it as possible, so that potential attackers don’t have time to modify them on the local system before they’re replicated to another location.Most of the ones I’ve seen are a bit biased and often out of date. Supports reliable and encrypted transport using TCP and TLS. message filtering, sorting, pre-processing, log normalisation. Can correlate log messages, both real-time and off-line. syslog-ng: I didn’t spend to long here, as I didn’t see any features that I needed that were better than the default of rsyslog.Rainer discusses why TCP isn’t as reliable as many think here. It’s not designed to alert on logs. That’s where the likes of Simple Event Correlator ( SEC) comes in. Rsyslog is great at gathering, transporting, storing log messages and includes some really neat functionality for dividing the logs. There is also the Reliable Event Logging Protocol (RELP) which Rainer created. Rainer Gerhards wrote rsyslog and his blog provides some good insights. I like to do as little as possible and rsyslog fits this description for me. rsyslog: which ships with Debian and most other Linux distros now I believe.The following two offerings are the main players. I didn’t spend long looking at this as there wasn’t much point. Most Linux distributions no longer ship with this. GNU syslogd which I don’t think is being developed anymore? Correct me if I’m wrong.As part of the ongoing work around preparing a Debian web server to host applications accessible from the The main system loggers I looked into