[syslog-ng] ng-syslog logging in a stealth mode

SheBang infosec at gmail.com
Tue Sep 13 20:33:26 CEST 2005 

Ah, I see. I did't read carefully past "stealth mode" it seems. I was 
thinking of this:

http://www.linuxjournal.com/xstatic/articles/lj/0092/5476/5476s2.html

http://www.linuxjournal.com/article/6222

It's a hidden syslog server that's not attackable by common methods (well 
except flooding with log messages - hard to eliminate DoS risks with any 
service). If you snip the send pair in its ethernet cable and hardcode MAC 
addresses then it's quite a secure log receiver.

On 9/13/05, Bill Nash <billn at billn.net> wrote:
> 
> 
> You mean..
> 
> Log all activity on the box and forward it off to another device, storing
> nothing locally?
> 
> Declare a source of /dev/log.
> 
> Declare a sole udp destination of the IP you want to log to. (I've always
> liked the idea of a home or office network being logged to the inside NAT
> broadcast address so any workstation can monitor logging, but I'm weird
> like that.)
> 
> Remove all lines that log to files.
> 
> And you're done.
> 
> - billn
> 
> On Tue, 13 Sep 2005, Albretch Mueller wrote:
> 
> > Hi *,
> >
> > I would like for system logs like the ones produced by the kernel, 
> iptable
> > (generally in /var/log/syslog), as well as anyother applications running 
> in a
> > Linux-based router to be processed by an ng-syslog client and just 
> popped as
> > UDP packets
> >
> > I looked into http://www.campin.net/syslog-ng/faq.html and couldn't see 
> any
> > particular info on this specifically and I also search
> > http://marc.theaimsgroup.com/?l=syslog-ng for 'stealth' and didn't get 
> any
> > hits (a search on 'UDP' would dump millions of hits on you ;-))
> >
> > How could you do something like that?
> >
> > Thanks
> > Albretch
> >
> >
> > _______________________________________________
> > syslog-ng maillist - syslog-ng at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
> >
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050913/d28df2c9/attachment.html

More information about the syslog-ng mailing list