8.11 syslogsyslog is used to manage log messages in a centralized way. syslog got its start as a way of centrally recording messages for a set of UNIX machines, but many network devices (routers, hubs, etc.) now use syslog to report status and usage information. Such devices often don't even have a way to record this information locally, because they don't have any writable storage media; if you want to know what they're reporting, something has to be listening to their syslog messages. Attackers will often attempt to flood a site's syslog server in order to cover their tracks, so that the server runs out of disk space and stops logging new messages, or so that the evidence of their activities is lost in the noise. 8.11.1 Packet Filtering Characteristics of syslogsyslog is a UDP -based service. syslog servers (which record messages logged by other systems) listen on UDP port 514. syslog clients generally (but not always) use ports above 1023 to talk to servers. syslog servers never send messages back to clients. syslog servers can be configured to pass messages along to other syslog servers; in such cases, the sending server generally uses port 514 as the client port.
8.11.2 Proxying Characteristics of syslogsyslog is a self-proxying protocol; that is, syslog servers can generally be configured to simply pass messages they receive on to other syslog servers. 8.11.3 Summary of syslog Recommendations
|
|