[lug] logs

Tim Klein teece at silverklein.net
Tue Jul 31 00:55:00 MDT 2001

On Monday 30 July 2001 12:38 am, Sean Reifschneider wrote:

> You can set up syslog to log via UDP packets to another host. 
> You'll first have to set up the other host's syslogd to accept
> remote packets and your firewall to allow those in from your
> server.  Then on your server you list the destination as
> "@host" and messages will be forwarded to that host.  If you
> still want the log entries stored locally, just have two lines
> for the class listing local and remote.

Another interesting log protection idea that I read, I think it 
was in Practical Unix & Internet Security from O'Reilly, was 

Compile your syslog form source, but before you do so, modify it 
so that the config file is in a very non standard place (I 
dunno, how about /usr/local/share/doc/hello).  It will read the 
syslog control file from there.  To avoid making an intruder 
suspicious, put a fake copy of the config file in its standard 
/etc place.   In the real file, in /usr/local/share/doc/hello/, 
make it log to both the standard locations (/var/log) AND a 
remote log machine, and perhaps even somewhere else on your file 
system, like in /usr/local/share/doc/hello.  The fake file in 
/etc only shows your system logging to the standard place, 

This way, you may trick an intruder into thinking that when they 
modify your logs in /var/log/, they are covering their tracks.  
Unless they are really paying attention, the might miss the real 
config file and extra logging entirely.

I haven't ever done this, but I am planning on it for the near 


== Timothy Klein || teece at silverklein.net   ==
== ---------------------------------------- ==
== "Hello, World" 17 Errors, 31 Warnings... ==

More information about the LUG mailing list