[Dshield] Syslog Server Software

Harry Hoffman hhoffman at ip-solutions.net
Fri Mar 17 03:43:55 GMT 2006


I'm curious about this as I've heard several people mention it before,
although it was usually in the context of a honey{pot,net}.

Do you capture all the syslog messages to a pcap file and extract them
later? Or do you attempt to listen and reconstruct as the packets are
intercepted?

I've tried the latter with not a great deal of success, cpu normally
shoots through the roof. And this is on a fairly decent machine (ibm
x335) with a few gigs of memory and a good Gb network card.

Cheers,
Harry

Valdis.Kletnieks at vt.edu wrote:
<snip>

> 
> (Personally, I like the "phantom log server" approach, where you syslog to an
> IP address that blackholes because there isn't a system there, and then use
> a packet sniffer on a read-only tap to suck in the packets.)


-- 
Harry Hoffman
Integrated Portable Solutions, LLC
877.846.5927 ext 1000
http://www.ip-solutions.net/



More information about the list mailing list