Logging TCP events

modifying syslog.conf would only work if something were -already- sending the events to syslogd but syslog.conf had been configured to discard the log entries.

You haven't given us any clue as to what operating system you are using, but it seems likely to me that at the moment nothing is sending those events to syslogd . Possibly there is some hook or system configuration parameter or value in a kernel control file (that you could set and then rebuild the kernel to activate) that would enable the logging; or possibly it would be a minor change to your operating system source followed by a rebuild. To find out, you'd probably best ask in a newsgroup more dedicated to your OS; it is not a firewall or security question.

Personally I don't think sending to syslogd would work very well. syslogd is a relatively slow logging mechanism, and since it is UDP based, it probably wouldn't take a great deal of load on it before some of the UDP packets got lost or dropped from the queue. How many connections per second would the modified system likely be seeing?

Actually, I'm using Fedora Core 5 as an operating system. And thanks for your advice,

Alaa

Walter Roberson a =E9crit :

Syslog-NG can use TCP connectivity (I use it to SSH tunnel logging between systems) along with IPTABLES on the firewall to sort out traffic into various logs. Several systems including a honey-pot system are using a tcpdump dump and batch transmit data to send data to a MYSQL DB (pre-filtered prior to transmit to reduce log size.)

As far as the specifics of the TCP packets criteria that would be in either the IPTABLES definitions or if doing the TCPDUMP, I would send that to a FIFO and have a perl script filter that out to a file as a service. (our logging server does this with all the syslog data and places it in MySQL.)