Is there a free and robust solution to collect server logs from about 100 Linux systems and Apache servers to refer to when there are security accidents like scanning from outside IPs?
I am using Nagios Log Server. You can certainly have a trial for Nagios Log Server, even for 60 days. If you would like to schedule a live demo with a Nagios expert, contact them to set that up.
A simple solution is to aggregate all logs using Rsync to copy all machines/containers/VMs /var/log/* files to some common machine. Then you can use any number of tools to analyze the logs. This approach is both free, robust, and simple to understand.
You can look into an ELK stack (Elastic Search, Logstash, Kibana) and feed that using Filebeat or rsyslog.
If you are using syslog, then you are able to send logs to a remote server to collect and monitor on that central log server.
On the log server-side, allow logging from the client(s) / network(s) you need, make sure you only send the logs through trusted networks (they are not encrypted).
On the client-side, check the log target and send a copy to the log server.
The configuration depends on the type of syslog/rsyslog/… logging server you are using.
For example in rsyslog edit /etc/rsyslog.conf on server and clients and verify:
- you can reach the server from the client (test with ping/traceroute)
- the syslog server is accepting remote connections and no firewall is blocking port 514
- the client syslog is configured to forward a copy of the log entries you need to the remote log host