[syslog-ng] Re: ng-syslog logging in a stealth mode

Bill Nash billn at billn.net
Thu Sep 15 18:54:00 CEST 2005 

Shunting all data sent to the /dev/log pipe to a declared remote 
destination can still be done with syslog-ng. Something like GRsec would 
allow you to hide the presence of the daemon, as well. If the product is a 
firewall, a good GRsec implementation may not be a bad idea anyway.

- billn

On Thu, 15 Sep 2005, Albretch Mueller wrote:

> OK, here is my 'take' on your replies. It took me a little
> time to go over yor points
>
> // __ SheBang
>> Great idea, but running in stealth mode isn't a function of syslog-ng, it's 
>> a function of a network capture tool such as tcpdump or ngrep.
>
> :  I meant 'stealth mode' in a literal way not as an option or working
> mode of ngsyslog
>
> // __
>> dump the syslog contents to a file (need to do a little scripting here 
>> perhaps, though not much) and have syslog-ng read from that file.
>
> :  I won't have a filesystem around or say the application is botting and
> running off a CD-ROM (+RAM) and a ramdisk (or something similar) is NOT
> vorhanden
>
> // __
>> An HTML attachment was scrubbed...
>> URL: 
>> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050913/a8e80311/attachment.html
>
> // __ Jens Grigel
>> For the kernel messages you could use the netconsole kernel module to send 
>> any kernel messages directly via udp to a specified client as soon
>> as the network is available, no need for running a local syslogd/klogd.
>
>> Check kernel/Documentation/networking/Netconsole.txt for details.
>
> :  I was interested in reading about but the only page I could find was in 
> japanese.
>
> http://www.linux.or.jp/JF/JFdocs/kernel-docs-2.6/networking/netconsole.txt.html
>
> Also the idea is NOT to "send any kernel messages directly via udp to a 
> specified client", because to send it 'directly' to an IP/client you must 
> declare this IP somehow and I everything
> shoudl be stealth. The log aggregator should only gobble whatever reaches its 
> NIC, without
> the log producing end being even aware of it (do you get it ;-))
>
> // __ Bill Nash
>
>> You mean..
>
>> Log all activity on the box and forward it off to another device, storing 
>> nothing locally?
>
> :  No, I don't. I am not trying to store it locally and then forward it ...
>
>
> // __ SheBang
>
>> Ah, I see. I did't read carefully past "stealth mode" it seems. I was 
>> thinking of this:
>
>> http: //www.linuxjournal.com/xstatic/articles/lj/0092/5476/5476s2.html
>> http: //www.linuxjournal.com/article/6222
>
>> It's a hidden syslog server that's not attackable by common methods (well 
>> except flooding with log messages - hard to eliminate DoS risks with any 
>> service). If you snip the send pair in its ethernet cable and hardcode MAC 
>> addresses then it's quite a secure log receiver.
>
> :  Exactly! this is the idea "log files to a non-IP-addressed" ...
>
> Thanks
> Albretch
>
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list