Filter
Top Products
Chapter 17 Configuring System Logging 283
Remote Logging
Using remote logging in addition to local logging is strongly recommended for any
server system, because local logs can easily be altered if the system is compromised.
Several security issues must also be considered when making the decision to use
remote logging. First, the syslog process sends log messages as clear text, which could
expose sensitive information. Second, too many log messages may fill storage space on
the logging system, making further logging impossible. Third, log files can indicate
suspicious activity only if a baseline of normal activity has been established, and if they
are regularly monitored for such activity. If these security issues outweigh the security
benefit of remote logging for the network being configured, then remote logging
should not be used.
Configuring Remote Logging on a Client Computer
To configure a client computer for remote logging, you must alter the syslog.conf
configuration file. The following instructions assume that a remote log server has been
configured on the network.
To enable remote logging on a client computer:
1 Open the /etc/syslog.conf file as root.
2 Add the following line to the top of the file, replacing your.log.server with the name or
IP address of the log server. Make sure to keep all other lines intact:
*.* @
your.log.server
3 Exit, saving changes.
4 Send a hangup signal to syslogd to make it reload the configuration file:
$ sudo killall - HUP syslogd
Configuring Remote Logging on a Server
The remote logging software included with Mac OS X Server is the syslog daemon
syslogd. This service accepts and stores log messages from other systems on the
network. In the event that another system is compromised, its local logs can be altered,
so the log server may contain the only accurate system records. Remote logging should
only be enabled across a trusted internal network or VPN. By default, Mac OS X Server
performs only local logging and will not act as a log server.
Configuring Mac OS X Server to act as a remote log server involves changing the
syslogd command-line arguments. Enabling remote logging services requires removal
of the -s tag from the syslogd tool, which allows any host to send traffic via UDP to
the logging computer, which can present security risks. In order to better control what
hosts are allowed to send logging message traffic, the
-a option should be used to
ensure that log messages from only certain IP addresses are accepted. The
-a option
may be used multiple times to specify additional hosts. The -a option should be
followed with an address in the following format:
-a ipaddress/masklen[:service]