Sunday, November 25, 2007

Syslog-ng For Dummies (or SCADA Folks)

Continuing on the cleaning up my home network (aka Dummy!) theme , I decided to turn on remote syslog from one of my routers. We use syslog-ng on a lot of our boxes at work, but I've never actually configured it on any my Debian/Ubuntu boxes at home. How hard could it be? (HINT: A hell of a lot easier than on *BSD or *&$%*! Solaris)

1) Install the package

apt-get install syslog-ng

This removes the default syslogd and creates a nice config file in /etc/syslog-ng/syslog.conf that mirrors (I think) your old syslog.conf

2) Enable remote UDP syslog:

Uncomment the udp() line in s_all

3) Add a destination

destination my_cisco { file ("/var/log/851.log"); };

4) Add the filter to grab stuff from my router

filter f_my_cisco { host("192.168.169.1"); };

5) Put them all together at the end of the file:

log {
source(s_all);
filter(f_my_cisco);
destination(my_cisco);
};

Oh if you are wondering about the SCADA/Dummy in the title. It refers to a thread on Server Monitoring on the SCADA Mailing list and the frequent tendency for control system folks to do a "default deny" and reject mature technologies (firewall, AV, IDS) or practices (patching security vulnerabilities or public disclosure of vulns by CERT/CC) as "office" or "IT" and therefore completely inappropriate for consideration in control system devices, applications, servers, networks, etc. Or perhaps it is just the light, or lack thereof, this far North.

2 comments:

Jason Meltzer said...

For all the people at Suncor/Syncrude/etc. in Ft. Mac and here in the 'chuck... you might not be far off with the SAD thing.

Matt Franz said...

Jason,

Sunlight is a powerful thing! Hey, very cool blog!

And somebody actually got PDB working, cool!