How to setup and configure syslog to view and filter data


This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."

Download it now to read this article plus other related content.

Next Generation
Syslog has some important limitations. First, there is no validation. Any system that sends properly formatted syslog messages to the server will be processed and received. An attacker could spoof messages to the syslog server to provide false information. For example, an attacker could report a phony attack to divert your resources away from his real effort.

In addition, since syslog uses UDP, it provides no guarantee of delivery. Therefore, if a system-flooding DoS attack is launched against the syslog server, legitimate messages will be dropped.

An enhanced version, syslog-ng, is based on TCP with authentication. By default, TCP provides guaranteed delivery. Because there is a session setup and tear down, additional information can be exchanged to validate the authenticity of the information and the host that is generating it by adding support through other protocols like IPsec.

Syslog-ng also provides built-in log rotation. Syslog typically loses some messages while the daemon is stopped and restarted as the logs are being rotated out. The challenge is to rotate logs out to archive for compliance, legal evidence and future investigations without losing messages. Syslog-ng will automatically archive files to a designated location.

In addition, while syslog provides basic logging information, it sometimes creates problems when forwarding log messages or providing details of what is happening across a wide range of systems.

    Requires Free Membership to View

When forwarding a syslog message, the header of the original device is often overwritten with the details of the forwarding device. For example, if one device forwarded messages from three systems the original information would be lost. In addition, original syslog contains limited information in the header. Syslog-ng helps to solve this by providing additional configurable details on what is happening, where the message was generated and when it occurred.

Syslog-ng is available for most devices and is usually obtained by the vendor. However, since some devices don't support it yet, you can configure your syslog-ng server to support both legacy syslog devices and the newer format.

This was first published in January 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: