Re: Followup: Syslog

[Andy Bastien <lists@yuggoth.net>]

Of all the days, it was on Sat, Apr 14, 2001 at 02:32:20PM -0400 that Jacob Kuntz quoth:
> from the secret journal of Andy Bastien (lists@yuggoth.net):
> > 
> > Another technique is to use a separate logging server which has the
> > transmit leads on it's ethernet connection snipped.  It's capable of
> > receiving (via UDP only, since it can't ACK!) log entries, but it's
> > virtually impossible to start an interactive session remotely to shut
> > it down or otherwise interfere with it.  It's possible to attack the
> 
> It also can't arp. You'll need to prime the arp cache from a file for every
> host that needs immutable logs. Have you tried this? I wonder if you'll even
> get a link light.
> 
> A syslog that strips formfeeds and line feeds attached to a printer is a
> little better, but I haven't found an efficient way to egrep with my eyes.
> 

I have to admit I've never done this myself, but I know people who do.
If you have a hub that won't sent packets to the link because the
transmit leads don't make a circuit, the leads can be looped back or
some hubs will let you disable link detection.

Here's a page that discusses how to make a receive-only cable (scroll
down to 3.6): http://www.robertgraham.com/pubs/sniffing-faq.html

This from a mailing list discussion about some problems that people
have had with cutting the transmit wires.  Be aware that the guy who
starts the thread clipped the wrong wires:
http://www.securityportal.com/list-archive/firewall-wizards/1998/Aug/0167.html

Of course, you can use a standard cable with a dedicated logging
network segment and disable all network services on the logging server
except for syslog.  Different networks are find that different
solutions work the best for them.  I also don't want to claim that
there is anything wrong with logging to a printer, and some people
might want to log to a printer and a remote server.