Re: Remote Syslogd

From: Paul Gillingwater (paulat_private)
Date: Wed Oct 30 2002 - 09:52:50 PST

Next message: Kevin.M-CTR.Shannonat_private: "Forensics in a wireless environment"

Previous message: Paul Timmins: "Re: Remote Syslogd"
In reply to: Tom Perrine: "Re: Remote Syslogd"
Next in thread: Jason Frey: "Re: Remote Syslogd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nice to see syslog getting some attention.  For those who are
paranoiac (which should be most of us), I have four recommendations:

1) Send your security-related syslog stuff to a well-protected
dedicated syslog host, preferably with no external ports exposed.
Do all syslog processing locally on that box at the console, so
it\'s effectively write-only from the outside.

2) Ensure you use NTP to keep the time synched across all boxen
that feed syslog.

3) Note that syslog is based on UDP, which means that it\'s possible to
silently lose syslog information when you get network overload.  
Often, this is *exactly* when you don\'t want to lose the information.
Solution: use an SSH tunnel, and pipe it into netcat first (because
SSH will only tunnel TCP not UDP.)  This will ensure you use reliable
datagrams to guarantee delivery of the syslog packets.

4) UDP is insecure.  If a hacker gets into your network, she might
get useful info from the syslog packets.  Therefore, encrypt it.  See
the solution for point 3.

Final thoughts:  i\'ve developed (for our intrusion detection system) a
means of polling systems for events based on growth of logfiles, which
measures the logfile velocity, i.e., how fast it is growing.  In some
circumstances, a 30% variation in the speed of growth of a logfile has
some security and forensics relevance.

cheers
Paul

*********************************
 Paul Gillingwater, BA, BSc, MBA
        Managing Director
 CSO Lanifex Unternehmensberatung 
 & Softwareentwicklung G.m.b.H.
      NEW BUSINESS CONCEPTS

E-mail:  paulat_private
Tel:     +43(1)2198222-20
Fax:     +43(1)2198222-11
Mobile:  +43(699)1922 3085
Webhome: http://www.lanifex.com/
Address: Praterstrasse 60/1/2 
         A-1020 Vienna, Austria
*********************************

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kevin.M-CTR.Shannonat_private: "Forensics in a wireless environment"
Previous message: Paul Timmins: "Re: Remote Syslogd"
In reply to: Tom Perrine: "Re: Remote Syslogd"
Next in thread: Jason Frey: "Re: Remote Syslogd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 01 2002 - 04:59:26 PST