I have tried the syslog option, because it is udp it just sends off the
data and doesn't care if it makes it..
that sucks if you really want to make sure you have everything.
Put in mind, what I explain here is not real time, I pull mine down every
hour from the 34 server(s)
What I did was this
#DO ON ALL FIREWALLS
create an account on all firewalls, for this sake, lets call this account
centrallogs (MAKE PASSWORD VERY STRONG)
#Do On Central (Log) system
1. log in as the centrallogs user and create your private/public keys and
put your authorized_keys file (public key) in the .ssh directory of all
your remote firewalls of the centrallogs home directory
2. Create a folder in /var called pflogs and set rights to 770. Set owner
to be centrallog user
3. Next go into /home/centrallogs and make a new file called getlogs and
set the mode to 770
put this in this file
#Log files from remote firewalls
#firewall A
ssh [EMAIL PROTECTED] /usr/local/bin/./logroller
scp [EMAIL PROTECTED]:/var/log/pflog-* /var/pflogs/
ssh [EMAIL PROTECTED] rm /var/log/pflog-*
Firewall B
ssh [EMAIL PROTECTED] /usr/local/bin/./logroller
scp [EMAIL PROTECTED]:/var/log/pflog-* /var/pflogs/
ssh [EMAIL PROTECTED] rm /var/log/pflog-*
3. Create a crontab on the log server for the logrunner user
#Rotate PFLOgs and bring to central server
10 * * * * /home/centrallog/./getlogs
#Do on all remote firewalls
1. on your remote firewalls add this into /etc/sudoers
(What I have done here could be reduced alot as you only need to be able
to HUP pflogd. I wasn't sure what needed to be done here so I did it
this way at the moment ((Recommendations?)) )
centrallogs ALL=(ALL) NOPASSWD: ALL
2. go to /var and change the logs folder to 775
3. go into /usr/local/bin and create a file called rotatelogs and set
rights to 770
In this file put this
#!/bin/sh
# this file is used to roll over the PFLog file to a new file so that
# it can be transfered to the Corporate log server every 2 hours
DATE=$(date +%d%m%y%H)
HOSTNM=$(hostname -s)
sudo mv /var/log/pflog /var/log/pflog-$DATE$HOSTNM
chmod 660 /var/log/pflog-$DATE$HOSTNM
touch /var/log/pflog
sudo kill -HUP `cat /var/run/pflogd.pid`
3. comment out "#" the pflog entry in the newsyslog.conf file located
in /etc because we will handle that here with these processes
I believe that is all that is needed.
The first time this runs, it will give some errors regarding operation
not permitted and access denied, run it twice manually to start and it
should be good after that. it will give the same errors for every new
firewall added for the first run. I would suggest testing that the key
worked before leaving it as is
Login to the central log server as the centrallogs user and type ssh
[EMAIL PROTECTED] ls -l and see if it works without prompting for
a password. it should just return the file list in the centrallogs home
folder on the remote firewall.
This is a use at your own risk as I'm fairly new to this and I needed to
hack something up that would help me manage all my firewalls by keeping
my logs centrally but I am tossing this out to get feedback and maybe
helping you figure out what might work best for you.
I am interested in what you all think of the above, please note, I might
have missed a setup step or 2, but should you have any problems, feel
free to contact me outside of the list (don't want to annoy everyone)
and I will work on getting you the exact processes I did to build this,
including the process on building the keys (no passwords used when
making them btw)
Please put in mind that I have my firewalls only allowing SSH between
them and my accounts passwords are very secure.
I don't know what is a better option for this as I have tried a few but
this has worked 100% for me for the past 3 weeks.
I am doing this for 34 firewalls right now and as of today, I added some
extra steps to this to actually get all the data into hatchet on my
central server, but since my logs in 3 weeks are 4gig, I don't know if
hatchet will favor that so I have modified hatchet.cgi to handle
query's based on a specific querystring to output only what I need to
see.
Works very good to date and I'm happy with it, only thing I need now is
to know what I can use to join all my pflog files together for
each firewall as right now, I have a different one every hour for each
firewall.
Just wanted to toss a thanks out to Jason Dixon on Hatchet, works
great....
James Mackinnon
On 11/7/2005, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
>Hi all,
>
> I would like to use a central management server for a couple of obsd
>firewalls. At this point I need to resolve two important questions for me:
>
>a) Rules repository: which can be the best form?
>
> - putting rules via ssh on obsd firewalls from management ( or
>viceversa).
>
> - use a cvs repository from management server. In this case, how
>can I put rules on obsd??
>
> - another option??
>
>
>b) Firewall logs: I don not need a graphical frontend at this moment.
>With tcpdump is sufficient. But, how can I upload logs in secure
>manner to managemnet server and how can I administer this logs (i need
>to do some searchs, etc)?. Is syslog my unique option??
>
>Any ideas?? Thank you very much and sorry for my bad english.
>
>
>--
>CL Martinez
>carlopmart {at} gmail {d0t} com
