Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 14 - port 514 - syslog

Published: 2009-10-14
Last Updated: 2009-10-14 11:54:40 UTC
by David Goldsmith (Version: 1)
7 comment(s)

Often times, if hackers or worms break into your computer, they will try to delete the logs on the local computer to help hide their tracks.  Having all your computers submit their local logs to a central log server will help you maintain copies of those logs.  Even if a bad guy isn't trying to delete your logs, its also a good way to aggregate log data and to review it centrally using tools such as Swatch, Logsurfer or SEC to see if there are unusual events occurring on your systems.  These three tools all allow you to build a set of rules to help filter the log traffic.  Messages that are 'normal' noise can be ignored and messages that are indicative of unusual activity can generate an alert to notify your admins to review the activities.

There are 3 main syslog packages at this time:

1) syslog - the original syslog program.  This only supports sending messages to the central log server over UDP.  As such, you have no guarantees that the messages will get to the central server.  Because it is UDP based, it is important that you use a firewall to block inbound UDP syslog traffic from the Internet.  This is so malicious users can not send in a flood of syslog entries that result in filling up the filesystem on your central syslog server.

2) syslog-ng - in the spirit of Star Trek, this is 'syslog - the next generation'.  syslog-ng includes support to submit logs to a central server using TCP, so it can compensate for packets that got lost due to network issues or slow down sending if there is network congestion.  syslog-ng also can use supplemental tools, such as stunnel to encrypt the log traffic between the source and the central log server using SSL.

3) rsyslog - this is the latest syslog replacement.  It can use TCP as well for more reliable communication.  It now has native encryption support built-in, eliminating the need to use a second tool like stunnel to secure the network communication.  It can also use MySQL as a storage backend rather than flat text files.  This is useful for tools such as phplogcon which can be used to visualize the log data.

For environments with Windows systems, there are add-ons you can install to allow you to submit your various Windows event logs to a syslog server as well.  Some examples of these products are winlogd, SNARE, and  a Perl module Win32::Syslog.

Keywords:
7 comment(s)
Diary Archives