syslog

syslog is used to manage log messages in a centralized way. syslog got its start as a way of centrally recording messages for a set of UNIX machines, but many network devices (routers, hubs, etc.) now use syslog to report status and usage information. Such devices often don't even have a way to record this information locally, because they don't have any writable storage media; if you want to know what they're reporting, something has to be listening to their syslog messages.

Attackers will often attempt to flood a site's syslog server in order to cover their tracks, so that the server runs out of disk space and stops logging new messages, or so that the evidence of their activities is lost in the noise.

Packet Filtering Characteristics of syslog

syslog is a UDP-based service. syslog servers (which record messages logged by other systems) listen on UDP port 514. syslog clients generally (but not always) use ports above 1023 to talk to servers. syslog servers never send messages back to clients. syslog servers can be configured to pass messages along to other syslog servers; in such cases, the sending server generally uses port 514 as the client port.

Direc- Source Dest. Pro- Source Dest. ACK
tion Addr. Addr. tocol Port Port Set Notes
In Ext Int UDP >1023[41] [42] External client contacting internal syslog server
Out Int Ext UDP >1023[41] [42] Internal client contacting external syslog server
In Ext Int UDP [42] External syslog server passing message to internal syslog server
Out Int Ext UDP [42] Internal syslog server passing message to external syslog server

[41] Some syslog clients sometimes use ports below 1024.

[42] UDP packets do not have ACK bits.

Proxying Characteristics of syslog

syslog is a self-proxying protocol; that is, syslog servers can generally be configured to simply pass messages they receive on to other syslog servers.

Summary of syslog Recommendations