This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."
Download it now to read this article plus other related content.
Best Practices: How to Configure Syslog
Syslog provides insight into a network, but to get the most value out of it, it must be configured correctly. Here are some tips and tricks for maximizing the value of syslog at your organization.
- Compare local and remote logs. If an attacker gains control of a device, he can modify local log files to cover his tracks. However, a central syslog server provides a record of what happened, even if the local logs are altered. You can write a script to automatically compare remote and local files; if they're not identical, chances are the device has been compromised.
- Change the syslog config file. The default syslog configuration file is etc/syslog.conf. Most attackers will look in this file, and if they see that the logs are being written to a remote syslog server, they will try to stop the logging daemon or perform a DoS attack against the centralized server. You can trick them: Create a bait etc/syslog.conf file that is only logging to the local host, then create your real syslog.conf file in a different location and recompile the syslog daemon to point to that new location. The attacker will have no idea that you are logging remotely.
- Employ write-once logging. Since syslog information may be used as evidence in court, you need to ensure its integrity. The simplest solution is copying it to a write-once media, typically a WORM drive.
This was first published in January 2007