1 00:00:00,416 --> 00:00:01,790 Syslog. 2 00:00:01,790 --> 00:00:04,680 Now syslog is a protocol for enabling different appliances 3 00:00:04,680 --> 00:00:07,330 and software applications to transmit their logs 4 00:00:07,330 --> 00:00:10,000 or event records to a centralized server. 5 00:00:10,000 --> 00:00:11,860 Syslog is one of the things we talked about 6 00:00:11,860 --> 00:00:13,150 back when we talked about SEAMS, 7 00:00:13,150 --> 00:00:14,960 because it was one of the protocols we could use 8 00:00:14,960 --> 00:00:16,910 to send data to the SEAM. 9 00:00:16,910 --> 00:00:20,550 Now, syslog is going to follow a standard client server model 10 00:00:20,550 --> 00:00:23,440 and this is the defacto standard for logging of events 11 00:00:23,440 --> 00:00:25,890 from distributed systems across a network. 12 00:00:25,890 --> 00:00:28,630 You are going to see syslog in use in so many 13 00:00:28,630 --> 00:00:31,370 of the systems that you're going to work on in a daily basis. 14 00:00:31,370 --> 00:00:34,010 Now, syslog this log runs on most operating systems 15 00:00:34,010 --> 00:00:35,670 and on most networking equipment. 16 00:00:35,670 --> 00:00:37,700 So whether you're using a Cisco router, 17 00:00:37,700 --> 00:00:40,300 or you're using a Windows machine or a Linux server, 18 00:00:40,300 --> 00:00:43,270 all of them can use syslog, and it's going to run over port 19 00:00:43,270 --> 00:00:48,270 five, one, four or 514 using UDP over the TCP IP protocol. 20 00:00:49,040 --> 00:00:51,340 Here on the screen, you can see a basic web front-end 21 00:00:51,340 --> 00:00:54,080 for the pfSense, unified threat manager. 22 00:00:54,080 --> 00:00:56,680 Notice here we have the remote logging options. 23 00:00:56,680 --> 00:00:58,900 The first option is to send log messages 24 00:00:58,900 --> 00:01:01,250 to a remote syslog server, we're going to check that 25 00:01:01,250 --> 00:01:03,020 and say, yes, we want that to happen. 26 00:01:03,020 --> 00:01:04,860 Then we're going to say, where's it coming from? 27 00:01:04,860 --> 00:01:06,760 The source address is going to be the LAN. 28 00:01:06,760 --> 00:01:09,680 Remember, this is a pfSense unified threat manager, 29 00:01:09,680 --> 00:01:12,030 which is essentially a next generation firewall. 30 00:01:12,030 --> 00:01:13,960 So we have to determine, are we going to be logging 31 00:01:13,960 --> 00:01:16,150 the things coming from the outside or things coming 32 00:01:16,150 --> 00:01:17,170 from the inside? 33 00:01:17,170 --> 00:01:19,180 And in this case, we want to be logging things 34 00:01:19,180 --> 00:01:22,320 from the inside, so we're going to use the LAN here. 35 00:01:22,320 --> 00:01:24,500 Then we have what IP format we're going to use? 36 00:01:24,500 --> 00:01:27,070 Are we using IPv4 or IPv6? 37 00:01:27,070 --> 00:01:29,430 In our case, we're going to use IPv4. 38 00:01:29,430 --> 00:01:31,690 Then, we enter in what servers we want it to go to 39 00:01:31,690 --> 00:01:35,020 by their IP address and notice it's port five, one, four 40 00:01:35,020 --> 00:01:39,210 or 514, because that is the UDP port for syslog. 41 00:01:39,210 --> 00:01:40,740 Then we have all of our different options, 42 00:01:40,740 --> 00:01:42,150 what do we want to send there? 43 00:01:42,150 --> 00:01:44,330 And notice, we didn't just say send everything 44 00:01:44,330 --> 00:01:46,720 because we don't want to overwhelm our SEAMs. 45 00:01:46,720 --> 00:01:48,970 Instead, we've thought about what we want to capture. 46 00:01:48,970 --> 00:01:51,450 We want to capture system events and firewall events 47 00:01:51,450 --> 00:01:54,570 and DNS events and PPP events, which is things like 48 00:01:54,570 --> 00:01:56,560 connecting from over remote access, 49 00:01:56,560 --> 00:01:58,900 and we also want to send over our gateway monitoring events, 50 00:01:58,900 --> 00:02:01,140 but the rest of it, we decided that wasn't important to us, 51 00:02:01,140 --> 00:02:02,740 so we left those unchecked. 52 00:02:02,740 --> 00:02:04,700 This is the idea of how easy it is to set up 53 00:02:04,700 --> 00:02:07,480 remote logging and using syslog to send data back 54 00:02:07,480 --> 00:02:09,200 based on the system that's already in place 55 00:02:09,200 --> 00:02:11,270 using pfSense unified threat manager. 56 00:02:11,270 --> 00:02:13,160 Now, when we send these messages back, 57 00:02:13,160 --> 00:02:15,590 what does a syslog message look like? 58 00:02:15,590 --> 00:02:18,490 Well, a syslog message is going to contain a couple of things. 59 00:02:18,490 --> 00:02:21,170 It contains a PRI code, which is a priority code. 60 00:02:21,170 --> 00:02:24,040 It contains a header and it contains a message portion, 61 00:02:24,040 --> 00:02:25,250 let's talk about each of these. 62 00:02:25,250 --> 00:02:27,480 First, we have this PRI code, this priority, 63 00:02:27,480 --> 00:02:29,870 and this is going to be calculated based on the facility 64 00:02:29,870 --> 00:02:32,100 and the severity level of the data. 65 00:02:32,100 --> 00:02:34,440 Next, we have a header, and the header is going to contain 66 00:02:34,440 --> 00:02:36,830 the timestamp of the event and the host name, 67 00:02:36,830 --> 00:02:39,820 so we know where it came from and what time it was. 68 00:02:39,820 --> 00:02:41,820 And hopefully we'll do that in UTC 69 00:02:41,820 --> 00:02:44,350 so we can have everything in a nice standard format. 70 00:02:44,350 --> 00:02:48,290 If not, your SEAM will probably convert it to UTC for you. 71 00:02:48,290 --> 00:02:50,330 And finally, we have the message portion, 72 00:02:50,330 --> 00:02:52,500 which contains the source process of the event 73 00:02:52,500 --> 00:02:55,460 and the related content, basically, what data happened 74 00:02:55,460 --> 00:02:56,680 and what do you want to tell us about? 75 00:02:56,680 --> 00:02:58,680 And that's the idea here with the message portion. 76 00:02:58,680 --> 00:03:01,510 This is the meat and potatoes of this message. 77 00:03:01,510 --> 00:03:02,930 Now, when we dealt with syslog, 78 00:03:02,930 --> 00:03:04,450 there was a couple of drawbacks to it 79 00:03:04,450 --> 00:03:05,900 in the original version. 80 00:03:05,900 --> 00:03:08,290 The original protocol relied on UDP, 81 00:03:08,290 --> 00:03:11,140 as I said, UDP, port five, one, four. 82 00:03:11,140 --> 00:03:13,910 Now, this can cause delivery issues with congested networks 83 00:03:13,910 --> 00:03:16,400 because UDP is a fire-and-forget protocol. 84 00:03:16,400 --> 00:03:18,430 It sends it and doesn't wait for response 85 00:03:18,430 --> 00:03:21,160 and acknowledgement, and so it just assumes it got there. 86 00:03:21,160 --> 00:03:22,370 If you have a congested network, 87 00:03:22,370 --> 00:03:24,280 you can have data that is being dropped 88 00:03:24,280 --> 00:03:26,430 and therefore your information is not going to get 89 00:03:26,430 --> 00:03:28,560 to the log server and not be logged. 90 00:03:28,560 --> 00:03:30,650 In the early days, this may have been okay, 91 00:03:30,650 --> 00:03:32,330 because people assumed everyone on your network 92 00:03:32,330 --> 00:03:35,010 was trustworthy, but these days we don't want that. 93 00:03:35,010 --> 00:03:36,670 We want to make sure our data gets there, 94 00:03:36,670 --> 00:03:38,840 so we're going to have to come up with a solution for this. 95 00:03:38,840 --> 00:03:41,100 The second thing, is that there is not very many 96 00:03:41,100 --> 00:03:42,560 basic security controls. 97 00:03:42,560 --> 00:03:44,980 There wasn't anything like encryption or authentication 98 00:03:44,980 --> 00:03:46,820 included by default with syslog, 99 00:03:46,820 --> 00:03:48,760 and this again was another drawback. 100 00:03:48,760 --> 00:03:51,160 So, in modern implementations of syslog, 101 00:03:51,160 --> 00:03:52,660 we've corrected these things. 102 00:03:52,660 --> 00:03:54,130 Now, due to these security issues, 103 00:03:54,130 --> 00:03:56,550 our newer syslog implementations have added lots 104 00:03:56,550 --> 00:03:58,420 of different features and capabilities 105 00:03:58,420 --> 00:04:00,340 and we're going to talk about a couple of them here. 106 00:04:00,340 --> 00:04:05,340 First, newer implementations use port 1468 for TCP 107 00:04:05,390 --> 00:04:07,090 for consistent delivery. 108 00:04:07,090 --> 00:04:09,270 This way, if the network gets congested 109 00:04:09,270 --> 00:04:10,700 and that message can't get there, 110 00:04:10,700 --> 00:04:12,550 it will redeliver it over and over again 111 00:04:12,550 --> 00:04:14,150 because it's using TCP. 112 00:04:14,150 --> 00:04:17,510 The second improvement, newer implementations can use TLS 113 00:04:17,510 --> 00:04:20,410 or transport layer security to encrypt your messages 114 00:04:20,410 --> 00:04:21,960 being sent to servers. 115 00:04:21,960 --> 00:04:24,330 That way, that data in transit can't be read 116 00:04:24,330 --> 00:04:26,750 by somebody else on the network, it can only be read 117 00:04:26,750 --> 00:04:28,710 by the endpoint who sent it and the server 118 00:04:28,710 --> 00:04:30,410 who's receiving it. 119 00:04:30,410 --> 00:04:32,550 The third thing, is that newer implementations 120 00:04:32,550 --> 00:04:36,600 also use MD-5 and SHA-1 to provide authentication 121 00:04:36,600 --> 00:04:37,880 and integrity. 122 00:04:37,880 --> 00:04:40,680 This way, the messages can have message authentication 123 00:04:40,680 --> 00:04:43,000 and integrity as are transiting your network 124 00:04:43,000 --> 00:04:45,860 to make sure they're not being messed with by anybody else. 125 00:04:45,860 --> 00:04:47,890 This prevents any kind of man-in-the-middle attack 126 00:04:47,890 --> 00:04:50,500 that could destroy the integrity of the message. 127 00:04:50,500 --> 00:04:52,190 Additionally, we have this fourth thing, 128 00:04:52,190 --> 00:04:53,890 which is that some newer implementations 129 00:04:53,890 --> 00:04:56,740 can use message filtering, automated log analysis, 130 00:04:56,740 --> 00:04:59,800 event response scripting, and alternate message formats. 131 00:04:59,800 --> 00:05:02,370 Again, lots of other features, I'm not focusing 132 00:05:02,370 --> 00:05:04,470 too much on this set though, because really 133 00:05:04,470 --> 00:05:06,170 the three big ones that we care about is, 134 00:05:06,170 --> 00:05:08,790 we've moved to TCP for a consistent delivery, 135 00:05:08,790 --> 00:05:10,780 we have moved to TLS for encryption, 136 00:05:10,780 --> 00:05:13,010 and we started using MD-5 and SHA-1 137 00:05:13,010 --> 00:05:14,940 for authentication and integrity. 138 00:05:14,940 --> 00:05:16,970 Now, this newer version of the server 139 00:05:16,970 --> 00:05:20,640 is usually called syslog-ng for syslog next generation, 140 00:05:20,640 --> 00:05:22,410 or rsyslog. 141 00:05:22,410 --> 00:05:24,250 Now the final thing I want to mention about syslog 142 00:05:24,250 --> 00:05:26,670 before we end this lesson, is that syslog 143 00:05:26,670 --> 00:05:28,770 is often used to mean three things. 144 00:05:28,770 --> 00:05:31,620 It can refer to the protocol that we send the data over, 145 00:05:31,620 --> 00:05:34,650 it can refer to the server as in a syslog server, 146 00:05:34,650 --> 00:05:36,950 or it can refer to the log entries themselves 147 00:05:36,950 --> 00:05:38,670 as in syslog data. 148 00:05:38,670 --> 00:05:41,330 People will often just say syslog and they mean all three 149 00:05:41,330 --> 00:05:43,720 or any of these three, depending on the context. 150 00:05:43,720 --> 00:05:45,580 So just be careful about that as you hear people 151 00:05:45,580 --> 00:05:47,640 talking in the industry to make sure you understand 152 00:05:47,640 --> 00:05:49,803 which one of the three they're talking about.