How to setup Logrep client on Linux ?

Requirements

  1. A user account (xferuser for example). Home directory of this account will be used for temporary storage of logfiles
  2. OpenSSH server is installed.
  3. Perl is available.
  4. Public key part of a key pair for public key authentication.

Procedure

  1. Make directory ~xferuser/.ssh and /etc/logrep
  2. Copy public key to .ssh directory and rename it as authorized_keys
  3. Make sure that access to .ssh and authorized_keys are limited to ~xferuser with rw rights.
  4. Copy logrep.client.linux to /etc/logrep directory. Make sure that logrep.client.linux has execution permissions.
  5. Setup system cronjobs by using logrep.client.linux

logrep.client.linux examples (for use in crontab)

snort

/etc/logrep/logrep.client.linux -s snort -p /var/log/snort/alert -n 0 -u xferuser

copies snort alert file /var/log/snort/alert to ~xferuser/logrep directory and gzips it.

squid

/etc/logrep/logrep.client.linux -s squid -p /var/log/squid/access.log -n 100000 -u xferuser

copies last 100000 lines from squid access file /var/log/squid/access.log ~xferuser/logrep directory and gzips it.

postfix

/etc/logrep/logrep.client.linux -s postfix -p /var/log/maillog -n 50000 -u xferuser

copies last 50000 lines from postfix mail logfile /var/log/maillog to ~xferuser/logrep directory and gzips it.

apache

/etc/logrep/logrep.client.linux -s apache -p /var/log/apache/access.log -n 100000 -u xferuser

copies last 100000 lines from apache log file /var/log/apache/access.log to ~xferuser/logrep directory and gzips it.

Trend Micro InterScan VirusWall

/etc/logrep/logrep.client.linux -s iscan -p /var/log/iscan -n 0 -u xferuser

merges last two files from InterScan VirusWall log directory /var/log/iscan to ~xferuser/logrep directory and gzips it.