Best practices for syslog
Dev,
I'm trying to figure out what we should be logging and how to adjust the logging for our syslog server. Has anyone seen a performance hit from the logging? I'd also like some insight into the HSL, but I need to get basic logging working to begin with before I go down that road. I've found the logging documentation for V11.2 to be kinda sparse, so I'm turning to Dev for some insight on what you guys are logging, how I can make the correct choices on what to log, etc. I've got syslog set up and it's logging somewhat correctly, however I'm seeing a lot of messages coming from Cron:
Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session opened for user root by (uid=0)
Oct 3 00:25:01 boydf5 info crond[14049]: (root) CMD (/usr/lib/sa/sa1)
Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session closed for user root
Oct 3 00:26:01 boydf5 debug crond[14050]: pam_unix(crond:session): session opened for user syscheck by (uid=0)
and I'm not really sure how to stop them. These logs are roughly 90% of what's being logged, and I don't see a need for them to be logged anywhere. I'm also seeing my machine requesting and receiving the SSL cert from the F5, and that's not really that important to me. I'm more concerned with tracking a security incident and making sure I've done my own CYA so there can't be any blame on me for not having the info I need. I've tweaked everything to the level I think it should be at, unless I'm looking at it incorrectly. I'm pasting in my syslog config to verify the settings are correct, and see if anyone has any suggestions. Thanks for the help!
sys syslog {
auth-priv-from notice
auth-priv-to emerg
console-log disabled
cron-from err
cron-to err
daemon-from notice
daemon-to emerg
description Boyd-F5-01
include none
iso-date disabled
kern-from notice
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers {
remotesyslog1 {
description none
host XXX.XXX.XXX.XXX
local-ip XXX.XXX.XXX.XXX
remote-port XXX
}
}
user-log-from emerg
user-log-to emerg
}