syslog - computer networks and distributed systems
TRANSCRIPT
Have You Seen This?
Feb 17 07:38:18 aerztin syslogd 1.4.1#21ubuntu3: restart.
Feb 17 07:38:18 aerztin anacron[23256]: Job ‘cron.daily’ terminated
Feb 17 07:38:18 aerztin anacron[23256]: Normal exit (1 job run)
Feb 17 07:42:50 aerztin dhclient: DHCPREQUEST on eth0 to 10.70.17.251 port 67
Feb 17 07:42:50 aerztin dhclient: DHCPACK from 10.70.17.251
Feb 17 07:42:50 aerztin NetworkManager: <info> DHCP daemon state is now 3 (renew) for interface
eth0
Feb 17 07:42:50 aerztin dhclient: bound to 10.70.17.104 -- renewal in 3164 seconds.
Feb 17 07:56:19 aerztin -- MARK --
Feb 17 08:16:19 aerztin -- MARK --
Feb 17 08:17:01 aerztin /USR/SBIN/CRON[23439]: (root) CMD ( cd / && run-parts --report /etc/cr
on.hourly)
Feb 17 08:35:34 aerztin dhclient: DHCPREQUEST on eth0 to 10.70.17.251 port 67
Feb 17 08:35:34 aerztin dhclient: DHCPACK from 10.70.17.251
Feb 17 08:35:34 aerztin dhclient: bound to 10.70.17.104 -- renewal in 2767 seconds.
Feb 17 08:35:34 aerztin NetworkManager: <info> DHCP daemon state is now 3 (renew) for interface
eth0
Feb 17 08:56:19 aerztin -- MARK --
Feb 17 09:16:19 aerztin -- MARK --
Feb 17 09:17:01 aerztin /USR/SBIN/CRON[23459]: (root) CMD ( cd / && run-parts --report /etc/cr
on.hourly)
Feb 17 09:21:41 aerztin dhclient: DHCPREQUEST on eth0 to 10.70.17.251 port 67
Feb 17 09:21:41 aerztin dhclient: DHCPACK from 10.70.17.251
Feb 17 09:21:41 aerztin dhclient: bound to 10.70.17.104 -- renewal in 3222 seconds.
Feb 17 09:21:41 aerztin NetworkManager: <info> DHCP daemon state is now 3 (renew) for interface
eth0
Vladislav Marinov SYSLOG 2
The SYSLOG Protocol
A management protocol used to convey event notificationmessages [4]
Utilizes a layered architecture which allows to separatemessage content from message transport
Mesages are usually recorded in /var/log/syslog onUNIX systems
Vladislav Marinov SYSLOG 3
Overview
1 SYSLOG Architecture
2 SYSLOG Content
3 SYSLOG Transport Mappings
4 SYSLOG-SIGN
Vladislav Marinov SYSLOG 4
SYSLOG Layers
+---------------------+ +---------------------+
| content | | content |
|---------------------| |---------------------|
| syslog application | | syslog application | (originator,
| | | | collector, relay)
|---------------------| |---------------------|
| syslog transport | | syslog transport | (transport sender,
| | | | (transport receiver)
+---------------------+ +---------------------+
^ ^
| |
--------------------------
syslog content - the management information containedin a syslog message.
syslog application - handles generation, interpretation,routing and storage of syslog messages.
syslog transport - puts messages on the wire and takesthem off the wire.
Vladislav Marinov SYSLOG 5
Some Definitions
originator - generates syslog content to be carried in amessage
collector - gathers syslog content for further analysis
relay - forwards messages, accepting messages fromoriginators or other relays, and sending them to collectorsor other relays
transport sender passes syslog messages to a specifictransport protocol
transport receiver - takes syslog messages from aspecific transport protocol
Vladislav Marinov SYSLOG 6
Example Scenarios
+----------+ +---------+
|Originator|---->----|Collector|
+----------+ +---------+
+----------+ +-----+ +---------+
|Originator|---->----|Relay|---->----|Collector|
+----------+ +-----+ +---------+
+----------+ +-----+ +---------+
|Originator|---->----|Relay|---->----|Collector|
| |-+ +-----+ +---------+
+----------+ \
\ +-----+ +---------+
+->--|Relay|---->----|Collector|
+-----+ +---------+
+----------+ +-----+ +---------+
|Originator|---->----|Relay|---->-------|Collector|
| |-+ +-----+ +---| |
+----------+ \ / +---------+
\ +-----+ /
+->--|Relay|-->--/
+-----+
Vladislav Marinov SYSLOG 7
Overview
1 SYSLOG Architecture
2 SYSLOG Content
3 SYSLOG Transport Mappings
4 SYSLOG-SIGN
Vladislav Marinov SYSLOG 8
SYSLOG Message Format
The message is defined in ABNF format
SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG]
SYSLOG HeaderStructured DataMSG Part - contains a free-form message that providesinformation about the event.
Vladislav Marinov SYSLOG 9
SYSLOG Header
PRI - Priority Value - shows what type of message iscontained and how urgent it is
VERSION - SYSLOG Protocol Version
TIMESTAMP - identifies when the message wasgenerated
HOSTNAME - FQDN or IP address of the originator
APP-NAME - identifies the device or application thatoriginated the message
PROCID - process name or process ID associated with asyslog system
MSGID - identifies the type of message
Vladislav Marinov SYSLOG 10
Structured Data
Contains the actual data carried in the SYSLOG message
Consists of a collection of SD-ELEMENT
Each SD-ELEMENT has a SD-ID and a number ofname-value pairs
Examples:
[timeQuality tzKnown="1" isSynced="1"
syncAccuracy="60000000"]
[origin ip="192.0.2.1" ip="192.0.2.129"]
Vladislav Marinov SYSLOG 11
SYSLOG Message Example
<66>1 2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@0 iut="3" eventSource=
"Application" eventID="1011"] BOMAn application
event log entry...
Informational Message coming from a system daemon
The originator is mymachine.example.com
Generated by the application evntslog
No PROCID, MSGID is ID47
contains one SD-ELEMENT and a MSG part
Vladislav Marinov SYSLOG 12
Overview
1 SYSLOG Architecture
2 SYSLOG Content
3 SYSLOG Transport Mappings
4 SYSLOG-SIGN
Vladislav Marinov SYSLOG 13
UDP Transport Mapping [1]
All SYSLOG implementations must implement UDP as aSYSLOG transport
Involves very little overhead
One SYSLOG message per datagram
SYSLOD daemons listening on port UDP/514
Some concerns:
Unreliable Delivery
Message corruption
Congestion control
Sequenced delivery
Sender authentication and message forgery
Message observation
Message Replay
Vladislav Marinov SYSLOG 14
TLS Transport Mapping [2]
Public Key Certificate
A certificate is a data structure which ties a public key to anentity. The principal is usually represented as a hostname oran IP address. The certificate is signed by a trusted third party(i.e encrypted with the third party’s private key)
The SYSLOG entities are preconfigured with keys andcertificates
The originator initiates a TLS Handshake with thecollector
The originator and the collector exchange their certificates
Both sides validate the certificate of the other side
Session keys are exchanged which encrypt the followingcommunication
Vladislav Marinov SYSLOG 15
SYSLOG over TLS
3 packetsTCP
6 packetsTLS/TCP
2 packets
5 packetsTLS/TCP
Originator Collector
SYSLOG
CHANGE CIPHER SPECKEY EXCHANGE
CERTIFICATE VERIFYCERTIFICATE
SERVER HELLOCERTIFICATE
CERTIFICATE REQUESTSERVER HELLO DONE
ACK
SYN
SYN, ACK
ACK
CLIENT HELLO
ACK
CLOSE NOTIFY
FIN
CLOSE NOTIFY
FIN, ACK
CHANGE CIPHER SPEC
ACK
SYSLOG
ACK
Vladislav Marinov SYSLOG 16
Overview
1 SYSLOG Architecture
2 SYSLOG Content
3 SYSLOG Transport Mappings
4 SYSLOG-SIGN
Vladislav Marinov SYSLOG 17
SYSLOG-SIGN [3]
Originators and collectors exchnange certificate andpublic key information as structured data carried overSYSLOG messages (certificate blocks)
The SD-ID of certificate blocks is ssign-cert
Originators create and store hashes of previously sentmessages
Occasionally originators send the collection of hashes asstructured data carried over SYSLOG messages to thecollectors (signature blocks)
The SD-ID of signature blocks is ssignMessages carrying hashes are also signed by theoriginator to protect message integrity
Vladislav Marinov SYSLOG 18
SYSLOG-SIGN
When the collector receives the hashes from the signatureblocks it can validate the previously received SYSLOGmessages
SYSLOG-SIGN solves the SYSLOG/UDP securityproblems
Message AuthenticityMessage ReplayReliable DeliverySequenced DeliveryMessage Integrity
Message observation is still possible since the informationis carried in plain text
Message truncation will render the algorithm unusable
Vladislav Marinov SYSLOG 19
Conclusion
SYSLOG is an event notification management protocolthe content of which can be easily extended
Simply define new structured data elements
SYSLOG allows various transport mappings
SYSLOG usually runs over UDP (required mapping)SYSLOG over TLS (recommended transport) - securityat the transport layerSYSLOG-SIGN - security at the application layer
Vladislav Marinov SYSLOG 20
References
A.Okmianski.
Transmission of syslog messages over UDP.Internet Draft (work in progress) <draft-ietf-syslog-transport-udp-12>, Cisco Systems, 2007.
Y.Ma F.Miao.
TLS Transport Mapping for Syslog.Internet Draft (work in progress) < draft-ietf-syslog-transport-tls-11.tx>, Huawei Technologies, November2007.
A. Clemm J. Kelsey, J. Callas.
Signed syslog Messages.Internet Draft (work in progress) <draft-ietf-syslog-sign-23.txt>, NIST, PGP Corporation, Cisco Systems,2007.
R.Gerhards.
The Syslog Protocol.Internet Draft (work in progress) <draft-ietf-syslog-protocol-23>, Adiscon GmbH, 2007.
Vladislav Marinov SYSLOG 21