Central System Logging
The purpose of the LBNL Central Syslog Server project is to centrally aggregate information about host activity available via syslog as a resource to help the Computer Protection Program (CPP) prevent and mitigate damage from security incidents. Large parts of the Internet, including LBNL, have been experiencing attacks where account credentials (username and password) are stolen, typically when a user logs into a secure host from a compromised host. Once the credentials are stolen, the attacker(s) then access the secure host and attempt to compromise it, often successfully. This process is then repeated on the newly compromised host; this has been a very successful methodology for attackers. What makes the attack particularly difficult to defend against is that all of this is done over an encrypted channel (SSH) so the activity cannot be monitored.
Any time your host records syslog information it will be sent to the central syslog server in addition to your local syslog files.Related Links
Service Announcements
None
Rates/Service Level Agreements
Overhead funded
Policies/Guidelines/Terms of Service
The Computer Protection Program (CPP) requires all LBNL Unix/Linux and OS X hosts to syslog to the central syslog server. This document outlines the purpose for this requirement as well as configuration steps required for LBNL hosts to report to the central syslog server.
FAQ
None
Contact
IT Help Desk
IT Help Desk
For technical support, please call the IT Help Desk at 486-4357 or go to the IT Help Desk Web site.
