SUMMARY: syslog remote logging

From: CyberPsychotic (fygrave@tigerteam.net)
Date: Mon Nov 23 1998 - 06:13:26 CST


Hello people,
 Here I have received a fairly clear explanations from Juergen Schreiner
who gave me a couple of nice examples, and pointed me to secure
syslog site(which I probably shall use, since I am very security
concerned) and Richard Hellier who gave me a hint why syslog.conf would
have such weird syntaxis. Here details are goin':

~ From: juergen.schreiner@mchp.siemens.de
~
~ remote logging is very easy.
~ Let's assume you want to log every *.debug messages to
~ your loghost:
~
~ [root@client_host]# vi /etc/syslog.conf
~ ...
~ # myloghost is the name the host which should
~ # receive the messages
~ *.debug @myloghost
~ ...
~
~ [root@myloghost]# vi /etc/syslog.conf
~ ...
~ auth.debug /var/adm/auth.debug
~ daemon.debug /var/adm/daemon.debug
~ ...
~
~ Keep in mind that the field delimiter in syslog.conf is <TAB> !!
~ On the logging host the corresponding files (/var/adm/auth.debug,
~ /var/adm/daemon.debug ...) must allready exists.
~

:) actually 'TAB' was that thing which I missed while doing my testings.
(since not much daemons see the difference from TAB and 'SPACE'. probably
sendmail is the only other I could think of.
 

Another think which made me suspicious about syslog, is that everyone
could push logs to my syslog and thus several attacks could be brought to
life. (there're few overflows in syslog logging possibility (the lattest
was found recently in klog routine, which is useless when exploited
locally /since I have to be a piece of kernel/, but probably is a real
danger if could be exploited from remote). Plus several DoS attacks come
in mind.

The only solutions which were figured out here are:
1. use packet filtering. (firewalls/ipf/..).
2. use secure syslog : http://www.core-sdi.com/ssyslog

Now going to syntaxis things:

~ From: rlh <rlh@lsil.com>

[..]
~ Syslog config files are preprocessed by the "m4"
~ macro processor before being processed by the "syslogd"
~ daemon.
[..]

This explains those 'weird' constructions in syslog.conf, which I
discovered on my Solaris 2.5.1 installation. So to enable logging to
remote, all I have to do is to add:

define(`LOGHOST',`loghost.name.com')dnl
or the similar to syslog.conf file.

 Thanks alot to everyone who helped. :)

 Best regards
Fyodor

--
Fyodor Yarochkin	tel:[996-3312] 474465	  email:fygrave@tigerteam.net
http://www.kalug.lug.net/	   PGP key: hkp://keys.pgp.com/cyberpsychotic
echo 'subscribe kalug' | mail majordomo@krsu.edu.kg  :  join Kyrgyztani L.U.G.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:53 CDT