Distributed Systems Administration Utilities User's Guide

ManualsBrandsHP ManualsSoftwareHP-UX System Administration

5. Edit the /etc/rc.config.d/syslog-ng file and change the CLOG_CONFIGURED line to

CLOG_CONFIGURED=0. Remove all other CLOG lines except for the following:

CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts

CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

6. If ssh port forwarding had been configured, remove the following line from /etc/

services:

clog_ssh port/tcp # Consolidated logging with ssh port forwarding

3.5 Securing Consolidated Logs

On a standard HP-UX system, all users can view the system’s local /var/adm/syslog/

syslog.log. Access to consolidated logs is typically restricted. The log consolidation server

system itself is usually a restricted access system with strict security policies in place.

3.5.1 Log File Protections

One level of protection is the permissions on the consolidated log files themselves. This is

controlled using the syslog-ng.conf.server file. Each syslog-ng “file” destination can have

specific permissions specified. If the log directory for a consolidated file does not exist, syslog-ng

can be instructed to create it (create_dirs(yes)) and set the directory’s ownership and permissions

on the directory as well. For example,

destination d_file { file(“/clog/test/example.log” );

dir_owner(root);

dir_group(sys);

dir_perm(0600);

owner(root);

group(sys);

perm(0600);

};

3.5.2 ssh Port Forwarding

ssh port forwarding sets up a tunnel for the log traffic between the syslog-ng log forwarding

client and the syslog-ng log consolidation server. This ssh-based tunnel is only available when

using the TCP transport, not UDP. Also, ssh port forwarding is not used when forwarding log

traffic within a Serviceguard cluster (member to member). Standard TCP or UDP is used for

intra-cluster log traffic.

ssh port forwarding is transparent to syslog-ng. The /etc/syslog-ng.conf.client file is

configured so that syslog-ng forwards log traffic to a local port managed by ssh. The local

ssh connects to the remote sshd on the log consolidation server and sshd opens the standard

syslog-ng TCP port. The remote log consolidation believes it has a standard log forwarding

client and is unaware of the tunneling taking place.

One problem with ssh tunneling is failure of the log consolidation server. If the syslog-ng

server stops or crashes, the remote ssh tunnels disconnect. The client ssh tunnels will try to

reconnect at one minute intervals. The reconnect time is configurable.

Each failed reconnect attempt is logged to the client’s local syslog.log. During this time,

syslog-ng’s client log (/var/adm/syslog/syslog-ng.log) will show it trying to reconnect

to the tunnel. The default reconnect time is 10 seconds. This is configurable using syslog-ng’s

global setting "time_reopen(seconds)" parameter. See the syslog-ng open source reference

manual (/opt/dsau/doc/syslog-ng) for details.

3.5.2.1 ssh Port Forwarding to a Serviceguard Cluster Log Consolidator

When using ssh port forwarding with a Serviceguard cluster as the log consolidation server, a

special ssh configuration is required.

78 Consolidated Logging