Nice to see syslog getting some attention. For those who are paranoiac (which should be most of us), I have four recommendations: 1) Send your security-related syslog stuff to a well-protected dedicated syslog host, preferably with no external ports exposed. Do all syslog processing locally on that box at the console, so it\'s effectively write-only from the outside. 2) Ensure you use NTP to keep the time synched across all boxen that feed syslog. 3) Note that syslog is based on UDP, which means that it\'s possible to silently lose syslog information when you get network overload. Often, this is *exactly* when you don\'t want to lose the information. Solution: use an SSH tunnel, and pipe it into netcat first (because SSH will only tunnel TCP not UDP.) This will ensure you use reliable datagrams to guarantee delivery of the syslog packets. 4) UDP is insecure. If a hacker gets into your network, she might get useful info from the syslog packets. Therefore, encrypt it. See the solution for point 3. Final thoughts: i\'ve developed (for our intrusion detection system) a means of polling systems for events based on growth of logfiles, which measures the logfile velocity, i.e., how fast it is growing. In some circumstances, a 30% variation in the speed of growth of a logfile has some security and forensics relevance. cheers Paul ********************************* Paul Gillingwater, BA, BSc, MBA Managing Director CSO Lanifex Unternehmensberatung & Softwareentwicklung G.m.b.H. NEW BUSINESS CONCEPTS E-mail: paulat_private Tel: +43(1)2198222-20 Fax: +43(1)2198222-11 Mobile: +43(699)1922 3085 Webhome: http://www.lanifex.com/ Address: Praterstrasse 60/1/2 A-1020 Vienna, Austria ********************************* ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 01 2002 - 04:59:26 PST