How to Configuring Local Logging on Solaris 8 and Use Symantec Intruder Alert for Centralized Logging

Logging is often a forgotten security friend for system administrators until a security breach has occurred. The security administrator then goes to look at the logs only to find that there are no logs, the logs are incomplete, or that the logs have been modified by the attacker himself to cover his tracks. To prevent this from happening, a system administrator should be prepared to have a good local logging system in place and perhaps even a central log server for archiving logs. In the case of a security breach or attempted security breach 'complete and trustworthy system logs are critical for understanding what has happened on a given system' [1]. In this paper we will take a look at how to setup and configure a centralized logging system for a network of Solaris 8 machines and Windows 2000 machines. First we will take advantage of Solaris' built in logging mechanisms Syslog and BSM and then we will install and configure Symantec Intruder Alert (SIA) to create a unique centralized logging scheme with powerful querying capabilities. The focus will be on centralizing the Solaris 8 logs while using the Windows machines for SIA Administrative purposes.