RE: [fw-wiz] Syslog set up

From: Mark Tinberg (mtinberg_at_securepipe.com)
Date: 07/25/03

  • Next message: Devdas Bhagat: "Re: [fw-wiz] ip track through natting"
    To: "Melson, Paul" <PMelson@sequoianet.com>
    Date: Thu, 24 Jul 2003 20:29:58 -0500 (CDT)
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thu, 24 Jul 2003, Melson, Paul wrote:

    > !-- Also, using TCP syslog can cause the PIX to freeze if it can't
    > !-- communicate with the syslog server - once the log buffer is full
    > !-- it stops passing traffic. Use UDP if at all possible.

    Also be advised that using UDP syslog will guarantee that sooner or later
    you will lose or corrupt logs. Anything that could cause packet loss on
    the link between the syslog server and the PIX, such as a busy switch or
    router, or an attack on your site that generates a large quantity of log
    messages, will cause packets to be dropped which will cause log messages
    to be permanently lost. Also any schmo can craft UDP packets that appear
    to come from your PIX and have bogus messages in them, and I don't think
    you'll have any way to ever tell the difference.

    Depending on your security posture, having your PIX freeze up if the link
    to your syslog server goes down may be an acceptable comprimise for more
    reliable and complete logs. In either case though, you should make every
    effort to make sure that your syslog service is never inaccessable,
    otherwise you may go blind.

    - --
    Mark Tinberg <MTinberg@securepipe.com>
    Network Security Engineer, SecurePipe Inc.
    New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67

            Your daily fortune . . .

    If some people didn't tell you, you'd never know they'd been away on vacation.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)
    Comment: For info see http://quantumlab.net/pine_privacy_guard/

    iD8DBQE/IIgWFu7F5OUjbGcRAt/4AKDIGrTKtLdfg5JFHGt8KJpGzt8rzACglvPE
    y0T6UNCgzVIO0iEPq7mrfBI=
    =PbgM
    -----END PGP SIGNATURE-----
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Devdas Bhagat: "Re: [fw-wiz] ip track through natting"

    Relevant Pages

    • RE: Syslog Viewer/Reporter
      ... I currently have my PIX sending logs to a linux 'syslog server' that I ... The recommended setup is to trap only info level logs, ...
      (Focus-Microsoft)
    • Re: [opensuse] unhandy systemd logging
      ... which log your logs. ... Over a decade ago one of my major clients used central syslog logging. ... The indexing of the database did all the hard work :-) ... that spanned machines, routers, firewalls. ...
      (SuSE)
    • RE: audit trails for file access
      ... I actually use NTSyslog to send my logs off to a syslog server, ... On the syslog server side, I use syslog-ng to log to a MySQL database. ... In regards to logging to another machine, use the Eventlog to Syslog ...
      (Focus-Microsoft)
    • Re: Windows event auditing and reporting
      ... Log to Syslog translators and subsequent Syslog reporting tools. ... Once you get your logs into a generally vendor-agnostic format such as ... Event logs, especially DC logs for events such as New user accounts, ... Computer Emergency Response Teams, and Digital Investigations. ...
      (Security-Basics)
    • Re: running newsyslog fiveminly
      ... For first kind of logs we have to run newsyslog once every 5 minutes using cron: ... syslog servers, or a single syslog server) but instead to a ... know this based on the need to rotate logs every 5 minutes, ...
      (freebsd-stable)