Re: Followup: Syslog
Of all the days, it was on Sat, Apr 14, 2001 at 02:32:20PM -0400 that Jacob Kuntz quoth:
> from the secret journal of Andy Bastien (lists@yuggoth.net):
> >
> > Another technique is to use a separate logging server which has the
> > transmit leads on it's ethernet connection snipped. It's capable of
> > receiving (via UDP only, since it can't ACK!) log entries, but it's
> > virtually impossible to start an interactive session remotely to shut
> > it down or otherwise interfere with it. It's possible to attack the
>
> It also can't arp. You'll need to prime the arp cache from a file for every
> host that needs immutable logs. Have you tried this? I wonder if you'll even
> get a link light.
>
> A syslog that strips formfeeds and line feeds attached to a printer is a
> little better, but I haven't found an efficient way to egrep with my eyes.
>
I have to admit I've never done this myself, but I know people who do.
If you have a hub that won't sent packets to the link because the
transmit leads don't make a circuit, the leads can be looped back or
some hubs will let you disable link detection.
Here's a page that discusses how to make a receive-only cable (scroll
down to 3.6): http://www.robertgraham.com/pubs/sniffing-faq.html
This from a mailing list discussion about some problems that people
have had with cutting the transmit wires. Be aware that the guy who
starts the thread clipped the wrong wires:
http://www.securityportal.com/list-archive/firewall-wizards/1998/Aug/0167.html
Of course, you can use a standard cable with a dedicated logging
network segment and disable all network services on the logging server
except for syslog. Different networks are find that different
solutions work the best for them. I also don't want to claim that
there is anything wrong with logging to a printer, and some people
might want to log to a printer and a remote server.
Reply to: