How to setup and configure syslog to view and filter data


This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."

Download it now to read this article plus other related content.

Best Practices: How to Configure Syslog
Syslog provides insight into a network, but to get the most value out of it, it must be configured correctly. Here are some tips and tricks for maximizing the value of syslog at your organization.

  • Compare local and remote logs. If an attacker gains control of a device, he can modify local log files to cover his tracks. However, a central syslog server provides a record of what happened, even if the local logs are altered. You can write a script to automatically compare remote and local files; if they're not identical, chances are the device has been compromised.

  • Change the syslog config file. The default syslog configuration file is etc/syslog.conf. Most attackers will look in this file, and if they see that the logs are being written to a remote syslog server, they will try to stop the logging daemon or perform a DoS attack against the centralized server. You can trick them: Create a bait etc/syslog.conf file that is only logging to the local host, then create your real syslog.conf file in a different location and recompile the syslog daemon to point to that new location. The attacker will have no idea that you are logging remotely.

  • Employ write-once logging. Since syslog information may be used as evidence in court, you need to ensure its integrity. The simplest solution is copying it to a write-once media, typically a WORM drive.

    Requires Free Membership to View

  • Transmit syslog over SSH. Syslog information is sent in plaintext and can still be observed as it is going across the network. To protect your syslog transmission, pipe it over SSH. SSH is a staple on almost every computer system and has minimal overhead. In addition to encrypting all of the information, SSH allows you to add strong authentication and host validation, which increases the reliability of your syslog data.

  • Use network time protocol. To correlate data across many systems, it is critical to make sure that they all have a reliable time source. Network time protocol (NTP) is an easy way to make sure every system is using the same time.

This was first published in January 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: