Run ONLY syslog service on system B. If there is nothing else running it
will be next to impossible to hack system B because there's nothing to
attack, (unless there is a vulnerability in the syslogd running on B). I
guess the hacker could also try to fill /var on the syslog server but
even so you would probably still have the info you needed...
It doesnt copy whole files, it writes the logs in realtime to a remote
machine.
You setup system A to log remotely to system B by modifying the
syslog.conf on A, and you setup system B to listen for network syslog by
modifying /etc/rc.d/init.d/syslogd.
E.g on A, in syslog.conf you have;
*.info;mail.none;authpriv.none /var/log/messages
you could add
*.info;mail.none;authpriv.none @loghost.domain.com
so that the same info that is written to the messages file on the local
machine is also written to loghost. (See man syslog.conf)
On B you would add -r to /etc/rc.d/init.d/syslogd (and perhaps other
options - see man syslogd). If you need help modifying this script let
me know.
BTW - this remote logging is very cool shit for tracking lamer break in
attempts. Cisco routers also remote syslog - let me know if you want
more info on that. After you have this setup, look at swatch or a
similar syslog watcher so you can have loghost mail/page you, traceroute
to the remote host or whatever, when evil things occur.
Adam