Results 1 to 6 of 6

Thread: syslogd on a shared server?

  1. #1
    Junior Member
    Join Date
    Oct 2005
    Posts
    17

    syslogd on a shared server?

    I am on a shared server with my hosting company. I would like to use a syslog daemon to log syslog events from my PIX501 firewall at home.

    I asked my provider and they said I had to purchase a dedicated server.

    At home I don't have machines on 24/7 online, so I am wondering if it was possible to do this from a hosting provider on a shared server or I really need a dedicated server for this?

    TIA
    \"Luck is what happens when preparation meets opportunity.\"
    (Roman philosopher, mid-1st century AD)

  2. #2
    Senior Member
    Join Date
    Oct 2005
    Posts
    197
    So you want to log events from your firewall to a hosting 3rd party hosting company? I would asume that if they already said you had to purchase a dedicated server then they probibly wont help you. I really dont know any hacks for this as I'm reading about it right now The only thing I could think of would be to do it yourself with a small box. Make it your syslog machine and have it do nothing more then this....so it could be small. Ive googled and found these.

    Windows: Kiwi Syslog Daemon (Freeware)
    Linux: 'Troubleshooting With Syslog' (Also Free)


    Hope this helps. If you do set this up tell me how it works, I might just do this on my day off. Sounds like fun.
    meh. -ech0.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    There are tons of free syslog daemons out there but this isn't your problem. Your issue is having a host up 24x7 to receive the events. Honestly, I haven't seen too many home users install an enterprise class PIX firewall for simple home use. If you've got the green to power that beast 24x7, then you will have no issue getting an old PIII box and simply leave that thing up around the clock.

    A few things I would do.

    1) Archive log data weekly via gzip.
    2) Make your syslog server is a Linux distro with a dedicated slice (such as var) for your log data. If for some reason you fill the partition, at least the system will stay up.
    3) Don't flood the syslog box with meaningless PIX log data such as connection setups and tear downs. You'll have so much data you'll never be able to sift through it all.

    Anyway, just a few ideas for you.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Junior Member
    Join Date
    Oct 2005
    Posts
    17
    Thanks for your replies.

    Tonight I have actually setup PIX logging to my OS X box. I figured in the beginning I would collect logs when I was online and start doing some analysis and if it gets interesting, I will look into setting up a dedicated box.

    So for those who are interested, the logging levels I have setup as follows:

    • Syslog logging: enabled
      Facility: 20
      Timestamp logging: enabled
      Standby logging: enabled
      Console logging: level errors, 0 messages logged
      Monitor logging: level errors, 0 messages logged
      Buffer logging: level errors, 0 messages logged
      Trap logging: level warnings, 1515 messages logged
      Logging to inside mybox
      History logging: level errors, 12995 messages logged
      Device ID: disabled


    I was going to setup trap logging level to 'informational' but it ended up logging too much data including all the URL's on the outgoing traffic.

    It is interesting from the logs to see what ports are being scanned on my connection. Now I need to find a script on how to correlate the logs and maybe find out how to submit my logs to DShield. I don't think there is a DShield client for OS X at the moment. I have only seen one for Windows.

    This is all phun stuff.

    Cheers,
    Hattori Hanzo
    \"Luck is what happens when preparation meets opportunity.\"
    (Roman philosopher, mid-1st century AD)

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by thehorse13
    Honestly, I haven't seen too many home users install an enterprise class PIX firewall for simple home use.
    A 501 is made for home/soho use..
    http://www.cisco.com/en/US/products/...031/index.html



    Why use a public server for this.. This also means that ISP can look at your firewall logs.. Not my choice.. Also note that syslog is clear-text UDP. Quite easily spoofed.. It's not a good idea to open up a syslog server to the Internet..

    Why don't you dig up some old PC?.. Install Linux or *BSD.. Use that as a syslog server.. As an added bonus you can play around with things like snort..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Junior Member
    Join Date
    Oct 2005
    Posts
    17
    SirDice,

    Good and valid points. Now I am using syslog on my OS X box (on my home network) to collect the PIX logs. Just got the fwanalog shell script working tonight which generates some nice graphs and PIX denied traffic analysis. fwanalog (http://tud.at/programm/fwanalog/) is highly recommended for anyone who wants to analyse PIX logs.

    I setup a Snort box a few years ago on a laptop. Had it running for a week or so, then the hard disk died on me.
    \"Luck is what happens when preparation meets opportunity.\"
    (Roman philosopher, mid-1st century AD)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •