Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

191

192

193

194

195

196

197

198

199

200

Conﬁguring a System

Using Distributed Systems Administration Utilities

Chapter 3194

implies that the administrator trusts the remote system. See the ssh

section in the log forwarding client section for establishing stronger

security guarantees.

The /etc/services ﬁle documents the well-known reserved ports. When

choosing a reserved port, the wizard will check both /etc/services and

use “netstat -an” to check that the port is not in use.

Note that syslogd uses UDP port 514. TCP port 514 is reserved for use

by remsh. remsh is not a secure protocol and is disabled at many sites. If

remsh has been disabled on the consolidator, you could use TCP port 514.

This has the advantage that it is a privileged port and it is the same as

the UDP port number so it is easy to remember and manage. However, if

the administrator changes the system to re-enable the use of remsh,

syslog-ng would have to be reconﬁgured to use a new port and all the

client systems that forward to this system would have to be updated.

Unlike UDP, TCP is a connection-oriented protocol. Each log forwarding

client using TCP will have a connection to the log consolidation server. In

order to avoid denial of service attacks, the default number of TCP

connections accepted by syslog-ng is limited to 10 connections. For

larger numbers of clients, edit the consolidation server’s

/etc/syslog-ng.conf.server ﬁle. Find the TCP source line in the ﬁle:

source s_syslog_tcp { tcp(port(<TCP port>)

keep-alive(yes));};

and add a max-connections() attribute as follows:

source s_syslog_tcp { tcp(port(<TCP port>) keep-alive(yes)

max-connections(

)); };

where

is the expected number of clients.

Next, the wizard prompts for which local logs should be consolidated:

Log files that reside on this system can be consolidated.

Would you like to consolidate this system's syslogs? (y/n)

[y]:

Answering yes places this log consolidation system’s own local syslog

data in the consolidated log along with the client system syslog data. To

preserve the priority and facility of syslog entries, UDP local loopback is

used, and syslog is conﬁgured to also forward entries to its local UDP

port 514. syslog-ng is conﬁgured to read from this port. Thus,

consolidating this system’s syslogs allows clients to also connect to this

log consolidation server via UDP port 514, even if TCP transport is