Is centralized logging a good idea?

logging syslog

I would suggest you take a look at Splunk.

I currently have it in production, with 30+ network devices logging to it--It is really useful to have logs in one place, that I can write my own queries for, run canned reports, etc.


One BIG advantage of centralized logging is this:

  • If one of your machines is ever compromised, and the logs altered to hide that fact, you will still have an un-tampered copy on your central logging server.

Another is:

  • In my case I also have a dedicated monitor at my workstation running off of the central logging server that displays any logs of a priority "Warning" or higher in real time, so that I can deal with any problems immediately as they come up. (hopefully before the end-user notices :) ). This is difficult to do without a centralized server.

Take a look at eventsentry as well, not very expensive for few licenses, can setup good filters and alerting etc.

Related

How to prevent ip spoofing within iptables?
FreeBSD ZFS RAID-Z2 performance issues
What is the proper HTTP status for "too many connections?"
FTP/Windows/COmmand Line
Perl or Python, better suited for Unix system automation?
How to find the last user logged onto a computer in Active Directory?
if I put accept all 0.0.0.0/0 means this server is totally open for any ip?
As an admin, what tools do you use to log what you do to your boxes? [closed]
RAID-Z Failure Notification
Server Alias With wildcard subdomain
Networking Question - What is a VALID Subnet Address? [duplicate]
problem for network switch