How to setup and configure syslog to view and filter data - Information Security Magazine - Page 1

How to setup and configure syslog to view and filter data

Your network devices are trying to tell you that you're under attack. Syslog helps you sort through the data overload to get the message.


A key tenet of security is that, although prevention is ideal, detection is a must. And early detection is critical. Detecting an attack is like a spotting a fire -- it's easier to put out and damage will be minimal if you catch it at the start.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.
Syslog for Windows

Kiwi Enterprises' Kiwi Syslog Daemon is one of the most popular tools for enabling syslog on Windows devices. It is a fully functioning syslog server for Windows and can integrate across an entire network.

Logs are the eyes and ears of your network; they capture events and tell you when fire breaks out. Whether it is building a firewall rule set, tuning an IDS or validating which ports should be open on a server, logs are going to give you the information you need to make these critical decisions -- if you are looking.

It's practically impossible to wade through the volumes of log data produced by all your servers and network devices. It is critical to put all events into a single format so they can be analyzed and correlated. Syslog exists in native form for most non-Windows operating systems and devices including Unix, all Unix daemons, routers, firewalls, switches and Web servers. There are free and commercial tools, such as Kiwi Enterprises' Kiwi Syslog Daemon, that allow Windows to integrate with syslog. (See "Syslog for Windows")

With a relatively small investment of time, you can learn how to reap the following benefits of syslog:

  • Visibility into network activity.


  • Creation of a central repository for host logs, giving you a single location for backing up or analyzing log files.


  • Correlation across many diverse systems. Typi-cally, for example, server logs are viewed independent from router logs. With syslog, you can view them all together to better understand what's happening on your network.


  • Validation for other devices. A syslog server can make sure other devices are working properly. For example, if a firewall is supposed to be blocking a certain type of traffic that appears in a syslog entry, it means something is not working or is configured incorrectly.


  • Detection of attacks by enabling you to quickly spot potentially malicious events.

This was first published in January 2007