Remote syslog server questions

1337

I have never used a remote syslog server (thinking of graylog) so I have a few questions.

If I send all logs to a remote syslog server, what happens if the syslog server is down?
Also, will the performance of the syslog server have any effect on the server sending logs?
Are there any special security concern regarding having all logs in one place?

scottalanmiller

@Pete-S said in Remote syslog server questions:

If I send all logs to a remote syslog server, what happens if the syslog server is down?

Depends on the sending mechanism or client.

1337

@scottalanmiller said in Remote syslog server questions:

@Pete-S said in Remote syslog server questions:

If I send all logs to a remote syslog server, what happens if the syslog server is down?

Depends on the sending mechanism or client.

It seems like the servers I want to send logs from all rsyslog.

scottalanmiller

@Pete-S said in Remote syslog server questions:

@scottalanmiller said in Remote syslog server questions:

@Pete-S said in Remote syslog server questions:

If I send all logs to a remote syslog server, what happens if the syslog server is down?

Depends on the sending mechanism or client.

It seems like the servers I want to send logs from all rsyslog.

In many cases you would replace that with a client agent. Gives you security, more management, etc.

dbeato

@Pete-S said in Remote syslog server questions:

I have never used a remote syslog server (thinking of graylog) so I have a few questions.

If I send all logs to a remote syslog server, what happens if the syslog server is down?
Also, will the performance of the syslog server have any effect on the server sending logs?
Are there any special security concern regarding having all logs in one place?

If the syslog server goes down the device will try to deliver them until it cannot. Some devices just plain recycle their logs and so you might loose the data.

Performance of a syslog server shouldn't affect the server sending them.

Well for the security concern it should not be if it is well
Protected. However I would recommend a backup of that server or a mirror of it to another syslog server.

travisdh1

@Pete-S You can setup rsyslog to keep both the local logs and send to a remote server. Honestly tho, I'd just stick with an OSSIM/Wazuh server as they do the same thing with a lot more functionality, and take about the same amount of time to setup.

stacksofplates

It depends if you are using an agent or just rsyslog. Rsyslog can do tls and compression but not sure if you can cache until the remote server is back up, you would have to be sending over tcp for it to be able to verify. It can do tcp but I don't know if it has built in mechanisms to cache until the remote returns. The best way to handle it with just rsyslog is to have multiple syslog servers (Graylog) to send to and then they store in their backend (Elasticsearch in the case of Graylog).