1

I am working in a Linux environment, I would like to gather all the logs from the machine pool on a unique machine X. There are several log files I need to move and I am not sure about the way I should do it.

Should I make the machines send the logs from time to time to the specific monitoring one, I would configure a cron on every machine, that creates a copy of the logs and send it by scp.

Or should I configure the monitoring machine to go and get logs files, that would imply I created a specific user "logger" on every machine to which X would connect with scp (logger would have the reading rights on the logs I need).

I do not know how many machines I will have in my pool so it can go from 1 to 99999 machines. Logs files path may differ from a machine to another. Security is important in my case, I don't want someone else to be able to intercept or read the logs.

I would like the process to be the most simple as possible and not use library nor other software if possible.

user3779430
  • 121
  • 2
  • If you need to move log files I suggest you stream the logs in real time - configure your apps to log to a remote Syslog server, that way you'll get instant feedback instead of pulling the logs every X minutes (which may give enough time to an attacker to get in - through a zero day for example - and clean the logs before they're sent out). –  Apr 23 '15 at 15:00

2 Answers2

1

OSSEC does what you want, and will probably save you from largely reinventing the wheel.

If you really don't want to use additional software, at least have a look at their model, how they authenticate their clients, and where and why they trust the output from processed logs.

aportr
  • 288
  • 3
  • 9
0

If you create such an application offer both ways to your users.

If a server has to actively push the log files then your user needs to install some kind of agent on his monitored server. This could be discouraged in some environments.

If you pull the log files then no further installation is needed on the servers except allowing them to access the log files.

So offer both to your customers and let them decide.

Uwe Plonus
  • 574
  • 3
  • 14
  • actually there is no customers, I need to monitor my vms that are running in their companies. I was just wondering what is usually done and why. – user3779430 Apr 23 '15 at 11:48