A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitates troubleshooting functions when problems are encountered and can assist in performing root cause analysis.
A malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. Placing the syslog server on a separate subnet such as the management network isolated from general access and transient traffic will assist in reducing these risks. |