Good evening, I am running multiple cisco routers/switches and a virtualized debian install. In order to have proper forensic capabilities in cse of attack/breach/malfunction I wish to have remote logging of routers/switches messages in a remote facility to be able to read them even in case of hardware shutdown/reboot.
My idea was to remotely log messages from the cisco routers to a virtualized debian host running syslog I did this in the past with debian stretch and it worked by setting different facility codes and properly log-rotate with cron job. I now see that bookworm is removing syslog and doing all with journalctl. I see that I can also install cuncurrenlty syslog and configure it as I did, but I wonder if there is a way to avoid having local logging done to the syslog and only remote syslog messages being log to /var/log/* while local system is still handled by journal(d/ctl) I guess I could do the socket listening logging to proper facilities files and local syslog logging to /dev/null but I do not like it .... anybody has done something similar? Or a better idea? I am asking in advance so when I prepare the virtual machine dedicated to logging I can properly set it up.
Thanks for any pointers. Fabio
