Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. For example, a router might send messages about users logging on to console sessions, while a web-server might log access-denied events.
Most network equipment, like routers and switches, can send Syslog messages. Not only that, but *nix servers also have the ability to generate Syslog data, as do most firewalls, some printers, and even web-servers like Apache.
Windows-based servers don’t support Syslog natively, but a large number of third-party tools make it easy to collect Windows Event Log or IIS data and forward it to a Syslog server.
Unlike SNMP, Syslog can’t be used to “poll” devices to gather information. For example, SNMP has a complex hierarchical structure that allows a management station to ask a device for information on things like temperature data or available disk space. That’s not possible with Syslog – it simply sends messages to a central location when specific events are triggered.
Events and Log records
A log is an event.
An event is something that happens, not necessarily bad.
How long do we keep logs? PCI is one reference. Govt doesn’t tell you how long to keep logs, but will fine you if you don’t have them.
If there’s a policy to keep logs, there’s probably also a policy to deleting them (See Data Retention Policy).
Must be careful about not logging certain things such as credit card numbers and social security numbers.
Snare can run on a Windows machine and export to a central place.
Can use WMI protocol.
Syslog and UDP port 514
Most Sys Logs usually take place over UDP and in clear text, there are such things as TCP Log.
Sys log actually uses UDP, so if someone is sniffing the wire, they can see the logs!
Centralized logging
One good reason for centralized logging is if someone was hacked, can say anytime we see a login to one of the servers with this username, send an alert.
Also for correlations, for example if Mo card-swipes into the office at 9:15pm and then a VPN picks up his login a few minutes later, could send an alert as he most likely would not be logging into the VPN if he’s in the office.
Can pick a username and say show me all the systems this user has logged into in the past eight hours.