syslog remote logging
2007-12-25 11:51:00
Here I have received a fairly clear explanations from Juergen Schreiner
who gave me a couple of nice examples, and pointed me to secure
syslog site(which I probably shall use, since I am very security
concerned) and Richard Hellier who gave me a hint why syslog.conf would
have such weird syntaxis. Here details are goin':
~ From: juergen.schreiner@mchp.siemens.de
~
~ remote logging is very easy.
~ Let's assume you want to log every *.debug messages to
~ your loghost:
~
~ [root@client_host]# vi /etc/syslog.conf
~ ...
~ # myloghost is the name the host which should
~ # receive the messages
~ *.debug @myloghost
~ ...
~
~ [root@myloghost]# vi /etc/syslog.conf
~ ...
~ auth.debug /var/adm/auth.debug
~ daemon.debug /var/adm/daemon.debug
~ ...
~
~ Keep in mind that the field delimiter in syslog.conf is <TAB> !!
~ On the logging host the corresponding files (/var/adm/auth.debug,
~ /var/adm/daemon.debug ...) must allready exists.
~
:) actually 'TAB' was that thing which I missed while doing my testings.
(since not much daemons see the difference from TAB and 'SPACE'. probably
sendmail is the only other I could think of.
Another think which made me suspicious about syslog, is that everyone
could push logs to my syslog and thus several attacks could be brought to
life. (there're few overflows in syslog logging possibility (the lattest
was found recently in klog routine, which is useless when exploited
locally /since I have to be a piece of kernel/, but probably is a real
danger if could be exploited from remote). Plus several DoS attacks come
in mind.
The only solutions which were figured out here are:
1. use packet filtering. (firewalls/ipf/..).
2. use secure syslog : http://www.core-sdi.com/ssyslog
Now going to syntaxis things:
~ From: rlh <rlh@lsil.com>
[..]
~ Syslog config files are preprocessed by the "m4"
~ macro processor before being processed by the "syslogd"
~ daemon.
[..]
This explains those 'weird' constructions in syslog.conf, which I
discovered on my Solaris 2.5.1 installation. So to enable logging to
remote, all I have to do is to add:
define(`LOGHOST',`loghost.name.com')dnl
or the similar to syslog.conf file.
Thanks alot to everyone who helped. :)
Best regards
Fyodor
--
Fyodor Yarochkin tel:[996-3312] 474465 email:fygrave@tigerteam.net
http://www.kalug.lug.net/ PGP key: hkp://keys.pgp.com/cyberpsychotic
echo 'subscribe kalug' | mail majordomo@krsu.edu.kg : join Kyrgyztani L.U.G.
Comments
Got something to say?
You must be logged in to post a comment.
