|
osdir.com mailing list archive |
|
Subject: Re: Re: ng-syslog logging in a stealth mode - msg#00037List: syslog-ngShunting all data sent to the /dev/log pipe to a declared remote destination can still be done with syslog-ng. Something like GRsec would allow you to hide the presence of the daemon, as well. If the product is a firewall, a good GRsec implementation may not be a bad idea anyway. - billn On Thu, 15 Sep 2005, Albretch Mueller wrote: OK, here is my 'take' on your replies. It took me a little time to go over yor points // __ SheBang Great idea, but running in stealth mode isn't a function of syslog-ng, it's a function of a network capture tool such as tcpdump or ngrep. : I meant 'stealth mode' in a literal way not as an option or working mode of ngsyslog // __ dump the syslog contents to a file (need to do a little scripting here perhaps, though not much) and have syslog-ng read from that file. : I won't have a filesystem around or say the application is botting and running off a CD-ROM (+RAM) and a ramdisk (or something similar) is NOT vorhanden // __ An HTML attachment was scrubbed... URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050913/a8e80311/attachment.html // __ Jens Grigel For the kernel messages you could use the netconsole kernel module to send any kernel messages directly via udp to a specified client as soon as the network is available, no need for running a local syslogd/klogd. Check kernel/Documentation/networking/Netconsole.txt for details. : I was interested in reading about but the only page I could find was in japanese. http://www.linux.or.jp/JF/JFdocs/kernel-docs-2.6/networking/netconsole.txt.html Also the idea is NOT to "send any kernel messages directly via udp to a specified client", because to send it 'directly' to an IP/client you must declare this IP somehow and I everything shoudl be stealth. The log aggregator should only gobble whatever reaches its NIC, without the log producing end being even aware of it (do you get it ;-)) // __ Bill Nash You mean.. Log all activity on the box and forward it off to another device, storing nothing locally? : No, I don't. I am not trying to store it locally and then forward it ... // __ SheBang Ah, I see. I did't read carefully past "stealth mode" it seems. I was thinking of this: http: //www.linuxjournal.com/xstatic/articles/lj/0092/5476/5476s2.html http: //www.linuxjournal.com/article/6222 It's a hidden syslog server that's not attackable by common methods (well except flooding with log messages - hard to eliminate DoS risks with any service). If you snip the send pair in its ethernet cable and hardcode MAC addresses then it's quite a secure log receiver. : Exactly! this is the idea "log files to a non-IP-addressed" ... Thanks Albretch _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html Thread at a glance:
Previous Message by Date: click to view message previewRe: ng-syslog logging in a stealth modeOK, here is my 'take' on your replies. It took me a little time to go over yor points // __ SheBang Great idea, but running in stealth mode isn't a function of syslog-ng, it's a function of a network capture tool such as tcpdump or ngrep. : I meant 'stealth mode' in a literal way not as an option or working mode of ngsyslog // __ dump the syslog contents to a file (need to do a little scripting here perhaps, though not much) and have syslog-ng read from that file. : I won't have a filesystem around or say the application is botting and running off a CD-ROM (+RAM) and a ramdisk (or something similar) is NOT vorhanden // __ An HTML attachment was scrubbed... URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050913/a8e80311/attachment.html // __ Jens Grigel For the kernel messages you could use the netconsole kernel module to send any kernel messages directly via udp to a specified client as soon as the network is available, no need for running a local syslogd/klogd. Check kernel/Documentation/networking/Netconsole.txt for details. : I was interested in reading about but the only page I could find was in japanese. http://www.linux.or.jp/JF/JFdocs/kernel-docs-2.6/networking/netconsole.txt.html Also the idea is NOT to "send any kernel messages directly via udp to a specified client", because to send it 'directly' to an IP/client you must declare this IP somehow and I everything shoudl be stealth. The log aggregator should only gobble whatever reaches its NIC, without the log producing end being even aware of it (do you get it ;-)) // __ Bill Nash You mean.. Log all activity on the box and forward it off to another device, storing nothing locally? : No, I don't. I am not trying to store it locally and then forward it ... // __ SheBang Ah, I see. I did't read carefully past "stealth mode" it seems. I was thinking of this: http://www.linuxjournal.com/xstatic/articles/lj/0092/5476/5476s2.html http://www.linuxjournal.com/article/6222 It's a hidden syslog server that's not attackable by common methods (well except flooding with log messages - hard to eliminate DoS risks with any service). If you snip the send pair in its ethernet cable and hardcode MAC addresses then it's quite a secure log receiver. : Exactly! this is the idea "log files to a non-IP-addressed" ... Thanks Albretch _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html Next Message by Date: click to view message previewsyslog-ng 1.6.8 bug: not maintaining priorityIf I use the template option for TCP or UDP destinations, the priority of a message is always user.notice. I set up a syslog.conf as source local { unix-dgram("/dev/log"); internal(); }; source network { udp(port(514)); tcp(port(514)); }; destination syslogng { file("/var/log/syslog-ng" template("$DATE $HOST $FACILITY $PRIORITY $MESSAGE\n")); } ; destination self { udp("cashmere.comp.uvic.ca" template("$FACILITY $PRIORITY From $HOST: $MESSAGE\n")); }; log { source(local); destination(self); }; log { source(network); destination(syslogng); }; and then I ran logger -p ftp.alert "everything is wrong" and I got the following in the /var/log/syslog-ng file Sep 15 10:38:51 cashmere.comp.uvic.ca user notice ftp alert From cashmere.comp.uvic.ca: sysprog: everything is wrong Notice that the udp sent message contains the original ftp.alert priority, but when the message is received via UDP, the message has priority user.notice. Am I doing something wrong? -- Evan Rempel erempel@xxxxxxx Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html Previous Message by Thread: click to view message previewRe: ng-syslog logging in a stealth modeOK, here is my 'take' on your replies. It took me a little time to go over yor points // __ SheBang Great idea, but running in stealth mode isn't a function of syslog-ng, it's a function of a network capture tool such as tcpdump or ngrep. : I meant 'stealth mode' in a literal way not as an option or working mode of ngsyslog // __ dump the syslog contents to a file (need to do a little scripting here perhaps, though not much) and have syslog-ng read from that file. : I won't have a filesystem around or say the application is botting and running off a CD-ROM (+RAM) and a ramdisk (or something similar) is NOT vorhanden // __ An HTML attachment was scrubbed... URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050913/a8e80311/attachment.html // __ Jens Grigel For the kernel messages you could use the netconsole kernel module to send any kernel messages directly via udp to a specified client as soon as the network is available, no need for running a local syslogd/klogd. Check kernel/Documentation/networking/Netconsole.txt for details. : I was interested in reading about but the only page I could find was in japanese. http://www.linux.or.jp/JF/JFdocs/kernel-docs-2.6/networking/netconsole.txt.html Also the idea is NOT to "send any kernel messages directly via udp to a specified client", because to send it 'directly' to an IP/client you must declare this IP somehow and I everything shoudl be stealth. The log aggregator should only gobble whatever reaches its NIC, without the log producing end being even aware of it (do you get it ;-)) // __ Bill Nash You mean.. Log all activity on the box and forward it off to another device, storing nothing locally? : No, I don't. I am not trying to store it locally and then forward it ... // __ SheBang Ah, I see. I did't read carefully past "stealth mode" it seems. I was thinking of this: http://www.linuxjournal.com/xstatic/articles/lj/0092/5476/5476s2.html http://www.linuxjournal.com/article/6222 It's a hidden syslog server that's not attackable by common methods (well except flooding with log messages - hard to eliminate DoS risks with any service). If you snip the send pair in its ethernet cable and hardcode MAC addresses then it's quite a secure log receiver. : Exactly! this is the idea "log files to a non-IP-addressed" ... Thanks Albretch _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html Next Message by Thread: click to view message previewfeature request: Priority remapIt would be nice to be able to use syslong-ng as a filter from the syslog sources to a final syslog server, but in doing so, change the priority of a message based on some filter expressions. As an example, I have an application that does not support syslog. It can log all of its messages to its standard out, so it is easy to use application | logger -p user.info -t application but this assigns the same priority to all messages. I would like to run this through a syslong-ng server to match expressions for -t application and then regular expressions and send them on to the production syslog server with level of error, critical, warning, info and debug. An option for a TCP/UDP destination that would set the facility/level of the messages would be nice. Thanks, -- Evan Rempel erempel@xxxxxxx Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria _______________________________________________ syslog-ng maillist - syslog-ng@xxxxxxxxxxxxxxxx https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html Loading Comments...
|
|
