[syslog-ng]How about a "passive" syslog server?

Jason Haar syslog-ng@lists.balabit.hu
Thu, 3 Apr 2003 14:50:05 +1200


Hi there

I'm wanting to put up a syslog server that runs on an IDS. As such the
"sniffed" interfaces don't have (or want) IP addresses. So what I need is a
syslog server that can sniff syslog packets as they come across the
interfaces in promiscous mode.

There is a product called passlogd that supposedly does this - but it has
always crashed on startup for me. However I was wondering if this could be a
feature request for syslog-ng.

Linux's netfilter has the REDIRECT rulesets which could be used to do this
as well. I mean, right now we use REDIRECT so that our Squid proxy server
can act as a transparent proxy server, so what about syslog-ng?  As Squid
requires you to enable it - I suppose syslog-ng would still need to be
altered to support that option too?

Anyone else tried to do this? The security advantage is that you could
enable syslog in your DMZes, point them at a non-existant IP address, and
your IDS could pick up those messages as they flow pass it. Any server
compromise leads the hackers to believe there is a syslog server - but it's
down...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1