Question
Is there a free and robust solution to collect server logs from about 100 Linux systems and Apache servers to refer to when there are security accidents like scanning from outside IPs?
Solution 1
I am using Nagios Log Server. You can certainly have a trial for Nagios Log Server, even for 60 days. If you would like to schedule a live demo with a Nagios expert, contact them to set that up.
Solution 2
A simple solution is to aggregate all logs using Rsync to copy all machines/containers/VMs /var/log/* files to some common machine. Then you can use any number of tools to analyze the logs. This approach is both free, robust, and simple to understand.
Solution 3
You can look into an ELK stack (Elastic Search, Logstash, Kibana) and feed that using Filebeat or rsyslog.
Solution 4
If you are using syslog, then you are able to send logs to a remote server to collect and monitor on that central log server.
On the log server-side, allow logging from the client(s) / network(s) you need, make sure you only send the logs through trusted networks (they are not encrypted).
On the client-side, check the log target and send a copy to the log server.
The configuration depends on the type of syslog/rsyslog/… logging server you are using.
For example in rsyslog edit /etc/rsyslog.conf on server and clients and verify:
- you can reach the server from the client (test with ping/traceroute)
- the syslog server is accepting remote connections and no firewall is blocking port 514
- the client syslog is configured to forward a copy of the log entries you need to the remote log host
