5.Edit the /etc/rc.config.d/syslog-ng file and change the CLOG_CONFIGURED line to

CLOG_CONFIGURED=0. Remove all other CLOG lines except for the following:

CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

6.If ssh port forwarding had been configured, remove the following line from /etc/ services:

clog_ssh port/tcp # Consolidated logging with ssh port forwarding

3.5Securing Consolidated Logs

On a standard HP-UX system, all users can view the system’s local /var/adm/syslog/ syslog.log. Access to consolidated logs is typically restricted. The log consolidation server system itself is usually a restricted access system with strict security policies in place.

3.5.1 Log File Protections

One level of protection is the permissions on the consolidated log files themselves. This is controlled using the syslog-ng.conf.serverfile. Each syslog-ng “file” destination can have specific permissions specified. If the log directory for a consolidated file does not exist, syslog-ng can be instructed to create it (create_dirs(yes)) and set the directory’s ownership and permissions on the directory as well. For example,

destination d_file { file(“/clog/test/example.log” ); dir_owner(root);

dir_group(sys); dir_perm(0600); owner(root); group(sys); perm(0600);

};

3.5.2 ssh Port Forwarding

ssh port forwarding sets up a tunnel for the log traffic between the syslog-nglog forwarding client and the syslog-nglog consolidation server. This ssh-based tunnel is only available when using the TCP transport, not UDP. Also, ssh port forwarding is not used when forwarding log traffic within a Serviceguard cluster (member to member). Standard TCP or UDP is used for intra-cluster log traffic.

ssh port forwarding is transparent to syslog-ng. The /etc/syslog-ng.conf.clientfile is configured so that syslog-ngforwards log traffic to a local port managed by ssh. The local ssh connects to the remote sshd on the log consolidation server and sshd opens the standard syslog-ngTCP port. The remote log consolidation believes it has a standard log forwarding client and is unaware of the tunneling taking place.

One problem with ssh tunneling is failure of the log consolidation server. If the syslog-ngserver stops or crashes, the remote ssh tunnels disconnect. The client ssh tunnels will try to reconnect at one minute intervals. The reconnect time is configurable.

Each failed reconnect attempt is logged to the client’s local syslog.log. During this time, syslog-ng’s client log (/var/adm/syslog/syslog-ng.log) will show it trying to reconnect to the tunnel. The default reconnect time is 10 seconds. This is configurable using syslog-ng’s global setting "time_reopen(seconds)" parameter. See the syslog-ng open source reference manual (/opt/dsau/doc/syslog-ng) for details.

3.5.2.1 ssh Port Forwarding to a Serviceguard Cluster Log Consolidator

When using ssh port forwarding with a Serviceguard cluster as the log consolidation server, a special ssh configuration is required.

78 Consolidated Logging

Page 78
Image 78
HP UX System Adstration manual Securing Consolidated Logs, Log File Protections, Ssh Port Forwarding