In regards to the stealth log server setup... While I haven't ever done this (the thought of spewing log packets out lots of ports makes me nervous), just reading the descriptions people have posted or linked to, I think I'll throw in this tidbit. It might a no-brainer for folks, but in any case... So let's say you are using a bogus IP address in syslog.conf + hard-coding a MAC address-to-IP address mappings in the hosts generating the logs to get the packets onto the wire. Remember that if said wire is connected into a switch, which is often the case, then the configuration of the switch can play a role. (I see the LinuxJournal article did not address this, and assumed layer 2 connectivity was provided by a *hub*, which simplifies things greatly.) With a switch, the needed behavior--broadcasting the log packets to ALL ports--is possible because a switch which has not learned which port to map a given MAC address will be in "learning" mode and may broadcast the packet to all ports, thus acting like a hub. But that behavior is configuration-dependent, and the heavier the iron, the more ways things get switched. So a Cisco 29XX or 35XX is fairly straightforward, but if your DMZ segment is a VLAN off a 6509, you may be doing more funky things that could impact your ability to broadcast in the general direction of the syslog server... And even 29XX's have modes for port security and such that may do stuff to unicast packets w/unknown MAC addresses. Since you're hardcoding MAC addys in the hosts, might want to do it in the switch too. Caveat administrator. Binky __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 22:37:38 PST