ng-syslog logging in a stealth mode
Hi *, I would like for system logs like the ones produced by the kernel, iptable (generally in /var/log/syslog), as well as anyother applications running in a Linux-based router to be processed by an ng-syslog client and just popped as UDP packets I looked into http://www.campin.net/syslog-ng/faq.html and couldn't see any particular info on this specifically and I also search http://marc.theaimsgroup.com/?l=syslog-ng for 'stealth' and didn't get any hits (a search on 'UDP' would dump millions of hits on you ;-)) How could you do something like that? Thanks Albretch
Great idea, but running in stealth mode isn't a function of syslog-ng, it's a function of a network capture tool such as tcpdump or ngrep. Use these tools (or something like them) to capture the traffic and perhaps dump the syslog contents to a file (need to do a little scripting here perhaps, though not much) and have syslog-ng read from that file. On 9/13/05, Albretch Mueller <lbrtchx@hotmail.com> wrote:
Hi *,
I would like for system logs like the ones produced by the kernel, iptable (generally in /var/log/syslog), as well as anyother applications running in a Linux-based router to be processed by an ng-syslog client and just popped as UDP packets
I looked into http://www.campin.net/syslog-ng/faq.html and couldn't see any particular info on this specifically and I also search http://marc.theaimsgroup.com/?l=syslog-ng for 'stealth' and didn't get any hits (a search on 'UDP' would dump millions of hits on you ;-))
How could you do something like that?
Thanks Albretch
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Tue, 2005-09-13 at 15:06, Albretch Mueller wrote:
Hi *,
I would like for system logs like the ones produced by the kernel, iptable (generally in /var/log/syslog), as well as anyother applications running in a Linux-based router to be processed by an ng-syslog client and just popped as UDP packets
I looked into http://www.campin.net/syslog-ng/faq.html and couldn't see any particular info on this specifically and I also search http://marc.theaimsgroup.com/?l=syslog-ng for 'stealth' and didn't get any hits (a search on 'UDP' would dump millions of hits on you ;-))
How could you do something like that?
For the kernel messages you could use the netconsole kernel module to send any kernel messages directly via udp to a specified client as soon as the network is available, no need for running a local syslogd/klogd. Check kernel/Documentation/networking/Netconsole.txt for details. Jens
Thanks Albretch
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
You mean.. Log all activity on the box and forward it off to another device, storing nothing locally? Declare a source of /dev/log. Declare a sole udp destination of the IP you want to log to. (I've always liked the idea of a home or office network being logged to the inside NAT broadcast address so any workstation can monitor logging, but I'm weird like that.) Remove all lines that log to files. And you're done. - billn On Tue, 13 Sep 2005, Albretch Mueller wrote:
Hi *,
I would like for system logs like the ones produced by the kernel, iptable (generally in /var/log/syslog), as well as anyother applications running in a Linux-based router to be processed by an ng-syslog client and just popped as UDP packets
I looked into http://www.campin.net/syslog-ng/faq.html and couldn't see any particular info on this specifically and I also search http://marc.theaimsgroup.com/?l=syslog-ng for 'stealth' and didn't get any hits (a search on 'UDP' would dump millions of hits on you ;-))
How could you do something like that?
Thanks Albretch
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Ah, I see. I did't read carefully past "stealth mode" it seems. I was thinking of this: http://www.linuxjournal.com/xstatic/articles/lj/0092/5476/5476s2.html http://www.linuxjournal.com/article/6222 It's a hidden syslog server that's not attackable by common methods (well except flooding with log messages - hard to eliminate DoS risks with any service). If you snip the send pair in its ethernet cable and hardcode MAC addresses then it's quite a secure log receiver. On 9/13/05, Bill Nash <billn@billn.net> wrote:
You mean..
Log all activity on the box and forward it off to another device, storing nothing locally?
Declare a source of /dev/log.
Declare a sole udp destination of the IP you want to log to. (I've always liked the idea of a home or office network being logged to the inside NAT broadcast address so any workstation can monitor logging, but I'm weird like that.)
Remove all lines that log to files.
And you're done.
- billn
On Tue, 13 Sep 2005, Albretch Mueller wrote:
Hi *,
I would like for system logs like the ones produced by the kernel, iptable (generally in /var/log/syslog), as well as anyother applications running in a Linux-based router to be processed by an ng-syslog client and just popped as UDP packets
I looked into http://www.campin.net/syslog-ng/faq.html and couldn't see any particular info on this specifically and I also search http://marc.theaimsgroup.com/?l=syslog-ng for 'stealth' and didn't get any hits (a search on 'UDP' would dump millions of hits on you ;-))
How could you do something like that?
Thanks Albretch
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I missed the beginning of the thread - but psyslogd may be what you are after. It's a sniffer that runs in promiscuous mode and listens exclusively for UDP syslog packets. It is basically a syslog daemon that doesn't need an IP address. Perfect to install on IDS servers that are monitoring traffic from - say - a DMZ. Get the other DMZ hosts to support syslog and to send their syslog events to 255.255.255.255 - and psyslogd will catch it. Any hacker won't be able to tell where it is :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
participants (5)
-
Albretch Mueller
-
Bill Nash
-
Jason Haar
-
Jens Grigel
-
SheBang