[syslog-ng] Re: ng-syslog logging in a stealth mode
Albretch Mueller
lbrtchx at hotmail.com
Thu Sep 15 18:06:40 CEST 2005
OK, here is my 'take' on your replies. It took me a little
time to go over yor points
// __ SheBang
>Great idea, but running in stealth mode isn't a function of syslog-ng, it's
>a function of a network capture tool such as tcpdump or ngrep.
: I meant 'stealth mode' in a literal way not as an option or working
mode of ngsyslog
// __
>dump the syslog contents to a file (need to do a little scripting here
>perhaps, though not much) and have syslog-ng read from that file.
: I won't have a filesystem around or say the application is botting and
running off a CD-ROM (+RAM) and a ramdisk (or something similar) is NOT
vorhanden
// __
>An HTML attachment was scrubbed...
>URL:
>http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050913/a8e80311/attachment.html
// __ Jens Grigel
>For the kernel messages you could use the netconsole kernel module to send
>any kernel messages directly via udp to a specified client as soon
>as the network is available, no need for running a local syslogd/klogd.
>Check kernel/Documentation/networking/Netconsole.txt for details.
: I was interested in reading about but the only page I could find was in
japanese.
http://www.linux.or.jp/JF/JFdocs/kernel-docs-2.6/networking/netconsole.txt.html
Also the idea is NOT to "send any kernel messages directly via udp to a
specified client", because to send it 'directly' to an IP/client you must
declare this IP somehow and I everything
shoudl be stealth. The log aggregator should only gobble whatever reaches
its NIC, without
the log producing end being even aware of it (do you get it ;-))
// __ Bill Nash
>You mean..
>Log all activity on the box and forward it off to another device, storing
>nothing locally?
: No, I don't. I am not trying to store it locally and then forward it ...
// __ SheBang
>Ah, I see. I did't read carefully past "stealth mode" it seems. I was
>thinking of this:
>http://www.linuxjournal.com/xstatic/articles/lj/0092/5476/5476s2.html
>http://www.linuxjournal.com/article/6222
>It's a hidden syslog server that's not attackable by common methods (well
>except flooding with log messages - hard to eliminate DoS risks with any
>service). If you snip the send pair in its ethernet cable and hardcode MAC
>addresses then it's quite a secure log receiver.
: Exactly! this is the idea "log files to a non-IP-addressed" ...
Thanks
Albretch
More information about the syslog-ng
mailing list