Date: Sun, 18 Feb 2001 16:29:13 -0600 From: "Brandon Hicks" <fbsdsec@killaz-r-us.com> To: <freebsd-security@FreeBSD.ORG> Subject: Fw: Remote logging Message-ID: <008201c099fa$38ab5480$57304c42@main.cox-internet.com>
next in thread | raw e-mail | index | archive | help
-----Original Message----- From: Brandon Hicks <fbsdsec@killaz-r-us.com> To: Carroll Kong <damascus@home.com> Date: Sunday, February 18, 2001 1:29 PM Subject: Re: Remote logging >My FreeBSD box is down, so i can't check this out.... We are moving around >some things in the new server room. But I'm about to have 8 FreeBSD Boxes >up, and plus one here in my office... with no daemon running on it and only >to monitor the others. So, I would like this Information as well. Can >someone see if syslogd says something when killed? If not can someone write >a patch for it, to make it says something like "Syslogd: Killed" at >least.... > >Brandon Hicks >bjh > > >-----Original Message----- >From: Carroll Kong <damascus@home.com> >To: Brian Reichert <reichert@numachi.com> >Cc: freebsd-security@FreeBSD.ORG <freebsd-security@FreeBSD.ORG> >Date: Sunday, February 18, 2001 12:42 PM >Subject: Re: Remote logging > > >>At 01:22 PM 2/18/01 -0500, you wrote: >>>What? Syslog? >>> >>>Set up a secured box, with syslogd: >>> >>> loghost# syslogd -a 192.186/16 >>> >>>Have this machine configured to write many machines' logs into >>>whatever scheme you find useful for analysis. >>> >>>Have your other boxes have syslogd configured with something as >>>simple as: >>> >>> *.* @loghost >>> >>>There are additional steps you can take to keep syslogd immune from >>>DNS outages; read the manpages. >>> >>>Make sure all fo your boxes are syncroninzed via NTP. >>> >>> > >>> > Ragnar >>> >>>-- >>>Brian 'you Bastard' Reichert <reichert@numachi.com> >> >>That is a good idea, however, what is to stop the enemy from killing >>syslogd as his first option? I do not think syslogd logs when it gets >>killed? So, despite the secure log host, he might not get the valuable >>info he needs. I suppose you could then start speculating a break in if >>there are no more MARKs since syslogd is dead. Even that could be >>fabricated I suppose. Ugh. Security sure is tough to implement >>fully. Not trying to say you are wrong, just that I am curious how does >>one stop this possible problem? Have you found a way to avoid it? >> >>-Carroll Kong >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008201c099fa$38ab5480$57304c42>