Very Computer

by **Mark** » Thu, 20 Nov 2003 02:37:25

Hi all,

I'm trying to find some information on setting up a basic syslog server, but
the whole concept seems to be very "secret squirrel"... I've done exhaustive
searches and come up with nothing.

I just want to use a solaris 8 box to accept syslog messages from some cisco
kit (easy to set up logging on that) but can't find any helpful info.

I looked through the man pages but can't find any option for syslog to
enable acceptance of syslog messages from remote hosts... :S

Any advice greatly appreciated!

Mark

by **Barry Margoli** » Thu, 20 Nov 2003 04:09:04

>I looked through the man pages but can't find any option for syslog to
>enable acceptance of syslog messages from remote hosts... :S

Because it's not optional, it always accepts them.

--

Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

by **Mark** » Thu, 20 Nov 2003 08:30:10

Aha,

thanks guys.

That seems like rather undesirable behaviour (the default accept). I daresay
there's an exploit out there somewhere which takes advantage of it :S

Well, seeing as it'll be behind a PIX, I'm sure it won't be a problem, I'll
just have to set up rules.

Cheers!

Mark

> >>I looked through the man pages but can't find any option for syslog to
> >>enable acceptance of syslog messages from remote hosts... :S

> >Because it's not optional, it always accepts them.

> It is optional, it's just the option (-t) is to turn it off, not turn
> it on.

> P.

> --
> pir

by **Mark** » Thu, 20 Nov 2003 23:20:24

All working beautifully and out to seperate files :)

Thanks

> Aha,

> thanks guys.

> That seems like rather undesirable behaviour (the default accept). I
daresay
> there's an exploit out there somewhere which takes advantage of it :S

> Well, seeing as it'll be behind a PIX, I'm sure it won't be a problem,
I'll
> just have to set up rules.

> Cheers!

> Mark

> > >>I looked through the man pages but can't find any option for syslog to
> > >>enable acceptance of syslog messages from remote hosts... :S

> > >Because it's not optional, it always accepts them.

> > It is optional, it's just the option (-t) is to turn it off, not turn
> > it on.

> > P.

> > --
> > pir

by **Chris Thomps** » Fri, 21 Nov 2003 00:33:40

>>>I looked through the man pages but can't find any option for syslog to
>>>enable acceptance of syslog messages from remote hosts... :S

>>Because it's not optional, it always accepts them.

>It is optional, it's just the option (-t) is to turn it off, not turn
>it on.

Or, in Solaris 9, set LOG_FROM_REMOTE=NO in /etc/default/syslogd.
That way, you don't have to mess with the /etc/init.d/syslog script.

The default being to accept remote syslogs is just tradition, and
yes (as another poster suggested), there have been exploits. Not
just the easy DoS ones, but ones using overlong UDP packets to
provoke buffer overflows in syslogd.

Chris Thompson
Email: cet1 [at] cam.ac.uk

Very Computer

Syslog server

Syslog server

Syslog server

Syslog server

Syslog server

Syslog server