How To Avoid Source Spoofing In Centralized Syslog Environments
An obvious weakness of the syslog network protocol is the ease of spoofing messages into a central syslog server. The default use of UDP as a transport and lack of any sort of authentication, in fact, make it trivial to spoof any part of a syslog message.
The most concerning issue with spoofing is faking the sending host. An attacker can create a lot of chaos by stuffing log files with bogus errors, creating a denial of service potential or an opportunity for the attacker to distract administrators with false alarms while an attack takes place.
The most basic way to improve the situation is to transport syslog over TCP rather than UDP. Both the syslog-ng and rsyslog servers support this natively.
Alternatively, syslog can be tunneled over stunnel, as described here.
Configuring The Snare Windows Client And Syslog-NG To Work Together
In a previous post, we looked at installing Snare to log Windows events to a syslog server. Here, we will configure syslog-ng to accept messages from Snare and implement a few simple customizations, including storing the logs in individual files. We will assume that Snare is operational for the purposes of this guide. Please see the post referenced above for help with installing Snare.
For this test, I am running syslog-ng 3.0.1 on FreeBSD 7.1 and Snare 3.14 on Windows XP.
First, we will start with a very basic configuration that logs to /var/log/messages:
source src {
internal();
udp(port(514));
};
destination messages { file(“/var/log/messages”); };
log {source(src); destination(messages);};
Categories: Windows, logging Tags: Snare, syslog-ng, Windows Logging