Cyber Security Awareness Month - Day 14 - port 514 - syslog

Published: 2009-10-14
Last Updated: 2009-10-14 11:54:40 UTC
by David Goldsmith (Version: 1)
7 comment(s)

Often times, if hackers or worms break into your computer, they will try to delete the logs on the local computer to help hide their tracks.  Having all your computers submit their local logs to a central log server will help you maintain copies of those logs.  Even if a bad guy isn't trying to delete your logs, its also a good way to aggregate log data and to review it centrally using tools such as Swatch, Logsurfer or SEC to see if there are unusual events occurring on your systems.  These three tools all allow you to build a set of rules to help filter the log traffic.  Messages that are 'normal' noise can be ignored and messages that are indicative of unusual activity can generate an alert to notify your admins to review the activities.

There are 3 main syslog packages at this time:

1) syslog - the original syslog program.  This only supports sending messages to the central log server over UDP.  As such, you have no guarantees that the messages will get to the central server.  Because it is UDP based, it is important that you use a firewall to block inbound UDP syslog traffic from the Internet.  This is so malicious users can not send in a flood of syslog entries that result in filling up the filesystem on your central syslog server.

2) syslog-ng - in the spirit of Star Trek, this is 'syslog - the next generation'.  syslog-ng includes support to submit logs to a central server using TCP, so it can compensate for packets that got lost due to network issues or slow down sending if there is network congestion.  syslog-ng also can use supplemental tools, such as stunnel to encrypt the log traffic between the source and the central log server using SSL.

3) rsyslog - this is the latest syslog replacement.  It can use TCP as well for more reliable communication.  It now has native encryption support built-in, eliminating the need to use a second tool like stunnel to secure the network communication.  It can also use MySQL as a storage backend rather than flat text files.  This is useful for tools such as phplogcon which can be used to visualize the log data.

For environments with Windows systems, there are add-ons you can install to allow you to submit your various Windows event logs to a syslog server as well.  Some examples of these products are winlogd, SNARE, and  a Perl module Win32::Syslog.

7 comment(s)


Here's another suggestion for getting Windows event logs to a central log server via UDP:

It's small, lightweight and I've never had problems with it.
You should also copy your firewall events to a syslog. That should be backed up daily as well. In the event of an intrusion or breach the data in invaluable. We also have filter lists on switches that will allow the data to pass, and also log it. We monitor suspicious ports that way and get immediate alerts. We know it is happening, but the intruder is not alerted in any way he has stepped on a wire so to speak.
One of the best features of syslog-ng is it can automatically sort log messages based on the host they came from. This is very helpful on a central logging server. I have one log subdirectory per host on mine.
The new version of Kiwi Syslog Server also includes an agent for forwarding Windows event logs.

Just a FYI
I don't think Syslog-NG got enough credit there. You mention MySQL as storage for rsyslog. Syslog-NG can also log to various databases. I have it log to files, split by date and system as Al mentioned, it's also forwarding to a central syslog server. That central syslog server is logging to Postgres, and it is also sending syslog alerts to an internal IRC channel (so we can watch the logs in "real-time" :) There are various Syslog-NG/Postgres HowTo's on the Internet, such as
Syslog-NG is a swiss-army knife when it comes to logging.
One word SPLUNK
It's easier, it's distributed, it's GUI.

Syslong is only as useful as being able to search through it. My datacenter logs every server, switch, firewall, even printer to twin SPLUNK servers. Can easily spot trends, run statistics, and export info.

I say you absolutely have to pay for it, free version works just as good.
Caution Will Robinson - some firewalls (Cisco) will block all traffic by default if syslog becomes unavailable and TCP is configured for syslogs.

Some may feel this to be a good thing, some may not.

Diary Archives