SYSLOG - Computer Networks and Distributed Systems

SYSLOG

Vladislav Marinov

Jacobs University Bremen

February 18th, 2008

Vladislav Marinov SYSLOG 1

Have You Seen This?

Feb 17 07:38:18 aerztin syslogd 1.4.1#21ubuntu3: restart.

Feb 17 07:38:18 aerztin anacron[23256]: Job ‘cron.daily’ terminated

Feb 17 07:38:18 aerztin anacron[23256]: Normal exit (1 job run)

Feb 17 07:42:50 aerztin dhclient: DHCPREQUEST on eth0 to 10.70.17.251 port 67

Feb 17 07:42:50 aerztin dhclient: DHCPACK from 10.70.17.251

Feb 17 07:42:50 aerztin NetworkManager: <info> DHCP daemon state is now 3 (renew) for interface

eth0

Feb 17 07:42:50 aerztin dhclient: bound to 10.70.17.104 -- renewal in 3164 seconds.

Feb 17 07:56:19 aerztin -- MARK --


Feb 17 08:17:01 aerztin /USR/SBIN/CRON[23439]: (root) CMD ( cd / && run-parts --report /etc/cr

on.hourly)





eth0



Feb 17 09:17:01 aerztin /USR/SBIN/CRON[23459]: (root) CMD ( cd / && run-parts --report /etc/cr

on.hourly)





eth0


The SYSLOG Protocol

A management protocol used to convey event notificationmessages [4]

Utilizes a layered architecture which allows to separatemessage content from message transport

Mesages are usually recorded in /var/log/syslog onUNIX systems


Overview

1 SYSLOG Architecture

2 SYSLOG Content

3 SYSLOG Transport Mappings

4 SYSLOG-SIGN


SYSLOG Layers

+---------------------+ +---------------------+

| content | | content |

|---------------------| |---------------------|

| syslog application | | syslog application | (originator,

| | | | collector, relay)

|---------------------| |---------------------|

| syslog transport | | syslog transport | (transport sender,

| | | | (transport receiver)

+---------------------+ +---------------------+

^ ^

| |

--------------------------

syslog content - the management information containedin a syslog message.

syslog application - handles generation, interpretation,routing and storage of syslog messages.

syslog transport - puts messages on the wire and takesthem off the wire.


Some Definitions

originator - generates syslog content to be carried in amessage

collector - gathers syslog content for further analysis

relay - forwards messages, accepting messages fromoriginators or other relays, and sending them to collectorsor other relays

transport sender passes syslog messages to a specifictransport protocol

transport receiver - takes syslog messages from aspecific transport protocol


Example Scenarios

+----------+ +---------+

|Originator|---->----|Collector|

+----------+ +---------+

+----------+ +-----+ +---------+

|Originator|---->----|Relay|---->----|Collector|

+----------+ +-----+ +---------+

+----------+ +-----+ +---------+

|Originator|---->----|Relay|---->----|Collector|

| |-+ +-----+ +---------+

+----------+ \

\ +-----+ +---------+

+->--|Relay|---->----|Collector|

+-----+ +---------+

+----------+ +-----+ +---------+

|Originator|---->----|Relay|---->-------|Collector|

| |-+ +-----+ +---| |

+----------+ \ / +---------+

\ +-----+ /

+->--|Relay|-->--/

+-----+


Overview


2 SYSLOG Content


4 SYSLOG-SIGN


SYSLOG Message Format

The message is defined in ABNF format

SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG]

SYSLOG HeaderStructured DataMSG Part - contains a free-form message that providesinformation about the event.


SYSLOG Header

PRI - Priority Value - shows what type of message iscontained and how urgent it is

VERSION - SYSLOG Protocol Version

TIMESTAMP - identifies when the message wasgenerated

HOSTNAME - FQDN or IP address of the originator

APP-NAME - identifies the device or application thatoriginated the message

PROCID - process name or process ID associated with asyslog system

MSGID - identifies the type of message


Structured Data

Contains the actual data carried in the SYSLOG message

Consists of a collection of SD-ELEMENT

Each SD-ELEMENT has a SD-ID and a number ofname-value pairs

Examples:

[timeQuality tzKnown="1" isSynced="1"

syncAccuracy="60000000"]

[origin ip="192.0.2.1" ip="192.0.2.129"]


SYSLOG Message Example

<66>1 2003-10-11T22:14:15.003Z mymachine.example.com

evntslog - ID47 [exampleSDID@0 iut="3" eventSource=

"Application" eventID="1011"] BOMAn application

event log entry...

Informational Message coming from a system daemon

The originator is mymachine.example.com

Generated by the application evntslog

No PROCID, MSGID is ID47

contains one SD-ELEMENT and a MSG part


Overview


2 SYSLOG Content


4 SYSLOG-SIGN


UDP Transport Mapping [1]

All SYSLOG implementations must implement UDP as aSYSLOG transport

Involves very little overhead

One SYSLOG message per datagram

SYSLOD daemons listening on port UDP/514

Some concerns:

Unreliable Delivery

Message corruption

Congestion control

Sequenced delivery

Sender authentication and message forgery

Message observation

Message Replay


TLS Transport Mapping [2]

Public Key Certificate

A certificate is a data structure which ties a public key to anentity. The principal is usually represented as a hostname oran IP address. The certificate is signed by a trusted third party(i.e encrypted with the third party’s private key)

The SYSLOG entities are preconfigured with keys andcertificates

The originator initiates a TLS Handshake with thecollector

The originator and the collector exchange their certificates

Both sides validate the certificate of the other side

Session keys are exchanged which encrypt the followingcommunication


SYSLOG over TLS

3 packetsTCP

6 packetsTLS/TCP

2 packets

5 packetsTLS/TCP

Originator Collector

SYSLOG

CHANGE CIPHER SPECKEY EXCHANGE

CERTIFICATE VERIFYCERTIFICATE

SERVER HELLOCERTIFICATE

CERTIFICATE REQUESTSERVER HELLO DONE

ACK

SYN

SYN, ACK

ACK

CLIENT HELLO

ACK

CLOSE NOTIFY

FIN

CLOSE NOTIFY

FIN, ACK

CHANGE CIPHER SPEC

ACK

SYSLOG

ACK


Overview


2 SYSLOG Content


4 SYSLOG-SIGN


SYSLOG-SIGN [3]

Originators and collectors exchnange certificate andpublic key information as structured data carried overSYSLOG messages (certificate blocks)

The SD-ID of certificate blocks is ssign-cert

Originators create and store hashes of previously sentmessages

Occasionally originators send the collection of hashes asstructured data carried over SYSLOG messages to thecollectors (signature blocks)

The SD-ID of signature blocks is ssignMessages carrying hashes are also signed by theoriginator to protect message integrity


SYSLOG-SIGN

When the collector receives the hashes from the signatureblocks it can validate the previously received SYSLOGmessages

SYSLOG-SIGN solves the SYSLOG/UDP securityproblems

Message AuthenticityMessage ReplayReliable DeliverySequenced DeliveryMessage Integrity

Message observation is still possible since the informationis carried in plain text

Message truncation will render the algorithm unusable


Conclusion

SYSLOG is an event notification management protocolthe content of which can be easily extended

Simply define new structured data elements

SYSLOG allows various transport mappings

SYSLOG usually runs over UDP (required mapping)SYSLOG over TLS (recommended transport) - securityat the transport layerSYSLOG-SIGN - security at the application layer


References

A.Okmianski.

Transmission of syslog messages over UDP.Internet Draft (work in progress) <draft-ietf-syslog-transport-udp-12>, Cisco Systems, 2007.

Y.Ma F.Miao.

TLS Transport Mapping for Syslog.Internet Draft (work in progress) < draft-ietf-syslog-transport-tls-11.tx>, Huawei Technologies, November2007.

A. Clemm J. Kelsey, J. Callas.

Signed syslog Messages.Internet Draft (work in progress) <draft-ietf-syslog-sign-23.txt>, NIST, PGP Corporation, Cisco Systems,2007.

R.Gerhards.

The Syslog Protocol.Internet Draft (work in progress) <draft-ietf-syslog-protocol-23>, Adiscon GmbH, 2007.


SYSLOG - Computer Networks and Distributed Systems

Documents