syslog
Contents
Subpages
/rsyslog |
About
IETF Workgroup - Security Issues in Network Event Logging (syslog)
- Open source logging experts in Germany
Standards
IETF RFC6012 Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog
IETF RFC5425 Transport Layer Security (TLS) Transport Mapping for Syslog
IETF draft-ietf-uta-ciphersuites-in-sec-syslog-05 Updates to the Cipher Suites in Secure Syslog
man 3 syslog
Ports
- syslog
Default: udp/514
- Not encrypted
- No confirmation on receipt, messages are lost easily
- No congestion control
tcp/514
- Not encrypted
- No confirmation on receipt, but at least capabilities of TCP
tcp/6514
- Encrypted
- No confirmation on receipt, but at least capabilities of TCP
- RELP
- no standard or default assigned:
typically tcp/2514 or tcp/25014
- Should be encrypted
- Confirmation on receipt
- no standard or default assigned:
Numeric values
Numeric values in IETF RFC5424
IETF RFC5424 - The Syslog Protocol Section 6.2.1. PRI Table 1 defines the following numerical values
1 Numerical Facility
2 Code
3
4 0 kernel messages
5 1 user-level messages
6 2 mail system
7 3 system daemons
8 4 security/authorization messages
9 5 messages generated internally by syslogd
10 6 line printer subsystem
11 7 network news subsystem
12 8 UUCP subsystem
13 9 clock daemon
14 10 security/authorization messages
15 11 FTP daemon
16 12 NTP subsystem
17 13 log audit
18 14 log alert
19 15 clock daemon (note 2)
20 16 local use 0 (local0)
21 17 local use 1 (local1)
22 18 local use 2 (local2)
23 19 local use 3 (local3)
24 20 local use 4 (local4)
25 21 local use 5 (local5)
26 22 local use 6 (local6)
27 23 local use 7 (local7)
Numeric values in libc6
Numeric values can be found in libc6-dev
/usr/include/x86_64-linux-gnu/sys/syslog.h
Encoding priorities and facilities into a 32bit number
1 /*
2 * priorities/facilities are encoded into a single 32-bit quantity, where the
3 * bottom 3 bits are the priority (0-7) and the top 28 bits are the facility
4 * (0-big number). Both the priorities and the facilities map roughly
5 * one-to-one to strings in the syslogd(8) source code. This mapping is
6 * included in this file.
7 */
Priorities are encoded in the lowest 3 bit
1 /*
2 * priorities (these are ordered)
3 */
4 #define LOG_EMERG 0 /* system is unusable */
5 #define LOG_ALERT 1 /* action must be taken immediately */
6 #define LOG_CRIT 2 /* critical conditions */
7 #define LOG_ERR 3 /* error conditions */
8 #define LOG_WARNING 4 /* warning conditions */
9 #define LOG_NOTICE 5 /* normal but significant condition */
10 #define LOG_INFO 6 /* informational */
11 #define LOG_DEBUG 7 /* debug-level messages */
12
13 #define LOG_PRIMASK 0x07 /* mask to extract priority part (internal) */
14 /* extract priority */
15 #define LOG_PRI(p) ((p) & LOG_PRIMASK)
16 #define LOG_MAKEPRI(fac, pri) ((fac) | (pri))
17
Facilities are shifted by 3 bits to the left
1 /* facility codes */
2 #define LOG_KERN (0<<3) /* kernel messages */
3 #define LOG_USER (1<<3) /* random user-level messages */
4 #define LOG_MAIL (2<<3) /* mail system */
5 #define LOG_DAEMON (3<<3) /* system daemons */
6 #define LOG_AUTH (4<<3) /* security/authorization messages */
7 #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */
8 #define LOG_LPR (6<<3) /* line printer subsystem */
9 #define LOG_NEWS (7<<3) /* network news subsystem */
10 #define LOG_UUCP (8<<3) /* UUCP subsystem */
11 #define LOG_CRON (9<<3) /* clock daemon */
12 #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */
13 #define LOG_FTP (11<<3) /* ftp daemon */
14
15 /* other codes through 15 reserved for system use */
16 #define LOG_LOCAL0 (16<<3) /* reserved for local use */
17 #define LOG_LOCAL1 (17<<3) /* reserved for local use */
18 #define LOG_LOCAL2 (18<<3) /* reserved for local use */
19 #define LOG_LOCAL3 (19<<3) /* reserved for local use */
20 #define LOG_LOCAL4 (20<<3) /* reserved for local use */
21 #define LOG_LOCAL5 (21<<3) /* reserved for local use */
22 #define LOG_LOCAL6 (22<<3) /* reserved for local use */
23 #define LOG_LOCAL7 (23<<3) /* reserved for local use */
24
25 #define LOG_NFACILITIES 24 /* current number of facilities */
26 #define LOG_FACMASK 0x03f8 /* mask to extract facility part */
27 /* facility of pri */
28 #define LOG_FAC(p) (((p) & LOG_FACMASK) >> 3)
29
Implementations
- Any many other projects more …
Implementation comparisons
Usecases
- Centralized logging with automated analysis (due to the vast amount of log data)
Security information and event management (SIEM)
Combination with the Linux audit subsystem auditd
- Well designed and understandable rule-sets:
Alternative to auditd
because auditd
- encodes data in HEX
- misses relevant infos (ENV, …)
- encodes numbers in various formats
- has no JSON output
- …
github.com threadhunters-io/laurel - Linux Audit - Usable, Robust, Easy Logging
github.com a2o/snoopy - Snoopy Command Logger
- Unreliable for security purposes,
because it loads via a shell environment variable LD_PRELOAD and may be unloaded by rogue users.
- Unreliable for security purposes,
Reliable Event Logging Protocol (RELP)
Reliable Event Logging Protocol (RELP), a networking protocol for computer data logging in computer networks, extends the functionality of the syslog protocol to provide reliable delivery of event messages. It is most often used in environments which do not tolerate message loss, such as the financial industry.
Used for syslog-to-syslog communication.
Further analysis of log data
- NOSQL + Software.