SYSLOG. Vladislav Marinov. February 18th, Jacobs University Bremen. Vladislav Marinov SYSLOG 1

Transcription

1 SYSLOG Vladislav Marinov Jacobs University Bremen February 18th, 2008 Vladislav Marinov SYSLOG 1

2 Have You Seen This? Feb 17 07:38:18 aerztin syslogd 1.4.1#21ubuntu3: restart. Feb 17 07:38:18 aerztin anacron[23256]: Job cron.daily terminated Feb 17 07:38:18 aerztin anacron[23256]: Normal exit (1 job run) Feb 17 07:42:50 aerztin dhclient: DHCPREQUEST on eth0 to port 67 Feb 17 07:42:50 aerztin dhclient: DHCPACK from Feb 17 07:42:50 aerztin NetworkManager: <info> DHCP daemon state is now 3 (renew) for interface eth0 Feb 17 07:42:50 aerztin dhclient: bound to renewal in 3164 seconds. Feb 17 07:56:19 aerztin -- MARK -- Feb 17 08:16:19 aerztin -- MARK -- Feb 17 08:17:01 aerztin /USR/SBIN/CRON[23439]: (root) CMD ( cd / && run-parts --report /etc/cr on.hourly) Feb 17 08:35:34 aerztin dhclient: DHCPREQUEST on eth0 to port 67 Feb 17 08:35:34 aerztin dhclient: DHCPACK from Feb 17 08:35:34 aerztin dhclient: bound to renewal in 2767 seconds. Feb 17 08:35:34 aerztin NetworkManager: <info> DHCP daemon state is now 3 (renew) for interface eth0 Feb 17 08:56:19 aerztin -- MARK -- Feb 17 09:16:19 aerztin -- MARK -- Feb 17 09:17:01 aerztin /USR/SBIN/CRON[23459]: (root) CMD ( cd / && run-parts --report /etc/cr on.hourly) Feb 17 09:21:41 aerztin dhclient: DHCPREQUEST on eth0 to port 67 Feb 17 09:21:41 aerztin dhclient: DHCPACK from Feb 17 09:21:41 aerztin dhclient: bound to renewal in 3222 seconds. Feb 17 09:21:41 aerztin NetworkManager: <info> DHCP daemon state is now 3 (renew) for interface eth0 Vladislav Marinov SYSLOG 2

3 The SYSLOG Protocol A management protocol used to convey event notification messages [4] Utilizes a layered architecture which allows to separate message content from message transport Mesages are usually recorded in /var/log/syslog on UNIX systems Vladislav Marinov SYSLOG 3

4 Overview 1 SYSLOG Architecture 2 SYSLOG Content 3 SYSLOG Transport Mappings 4 SYSLOG-SIGN Vladislav Marinov SYSLOG 4

5 SYSLOG Layers content content syslog application syslog application (originator, collector, relay) syslog transport syslog transport (transport sender, (transport receiver) ^ ^ syslog content - the management information contained in a syslog message. syslog application - handles generation, interpretation, routing and storage of syslog messages. syslog transport - puts messages on the wire and takes them off the wire. Vladislav Marinov SYSLOG 5

6 Some Definitions originator - generates syslog content to be carried in a message collector - gathers syslog content for further analysis relay - forwards messages, accepting messages from originators or other relays, and sending them to collectors or other relays transport sender passes syslog messages to a specific transport protocol transport receiver - takes syslog messages from a specific transport protocol Vladislav Marinov SYSLOG 6

7 Example Scenarios Originator ---->---- Collector Originator ---->---- Relay ---->---- Collector Originator ---->---- Relay ---->---- Collector \ \ >-- Relay ---->---- Collector Originator ---->---- Relay ----> Collector \ / \ / +->-- Relay -->--/ Vladislav Marinov SYSLOG 7

8 Overview 1 SYSLOG Architecture 2 SYSLOG Content 3 SYSLOG Transport Mappings 4 SYSLOG-SIGN Vladislav Marinov SYSLOG 8

9 SYSLOG Message Format The message is defined in ABNF format SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG] SYSLOG Header Structured Data MSG Part - contains a free-form message that provides information about the event. Vladislav Marinov SYSLOG 9

10 SYSLOG Header PRI - Priority Value - shows what type of message is contained and how urgent it is VERSION - SYSLOG Protocol Version TIMESTAMP - identifies when the message was generated HOSTNAME - FQDN or IP address of the originator APP-NAME - identifies the device or application that originated the message PROCID - process name or process ID associated with a syslog system MSGID - identifies the type of message Vladislav Marinov SYSLOG 10

11 Structured Data Contains the actual data carried in the SYSLOG message Consists of a collection of SD-ELEMENT Each SD-ELEMENT has a SD-ID and a number of name-value pairs Examples: [timequality tzknown="1" issynced="1" syncaccuracy=" "] [origin ip=" " ip=" "] Vladislav Marinov SYSLOG 11

12 SYSLOG Message Example <66> T22:14:15.003Z mymachine.example.com evntslog - ID47 [examplesdid@0 iut="3" eventsource= "Application" eventid="1011"] BOMAn application event log entry... Informational Message coming from a system daemon The originator is mymachine.example.com Generated by the application evntslog No PROCID, MSGID is ID47 contains one SD-ELEMENT and a MSG part Vladislav Marinov SYSLOG 12

13 Overview 1 SYSLOG Architecture 2 SYSLOG Content 3 SYSLOG Transport Mappings 4 SYSLOG-SIGN Vladislav Marinov SYSLOG 13

14 UDP Transport Mapping [1] All SYSLOG implementations must implement UDP as a SYSLOG transport Involves very little overhead One SYSLOG message per datagram SYSLOD daemons listening on port UDP/514 Some concerns: Unreliable Delivery Message corruption Congestion control Sequenced delivery Sender authentication and message forgery Message observation Message Replay Vladislav Marinov SYSLOG 14

15 TLS Transport Mapping [2] Public Key Certificate A certificate is a data structure which ties a public key to an entity. The principal is usually represented as a hostname or an IP address. The certificate is signed by a trusted third party (i.e encrypted with the third party s private key) The SYSLOG entities are preconfigured with keys and certificates The originator initiates a TLS Handshake with the collector The originator and the collector exchange their certificates Both sides validate the certificate of the other side Session keys are exchanged which encrypt the following communication Vladislav Marinov SYSLOG 15

16 SYSLOG over TLS Originator Collector SYN SYN, ACK ACK TCP 3 packets CLIENT HELLO ACK SERVER HELLO CERTIFICATE CERTIFICATE REQUEST SERVER HELLO DONE TLS/TCP 6 packets ACK CERTIFICATE CERTIFICATE VERIFY KEY EXCHANGE CHANGE CIPHER SPEC CHANGE CIPHER SPEC SYSLOG ACK CLOSE NOTIFY FIN CLOSE NOTIFY FIN, ACK SYSLOG 2 packets TLS/TCP 5 packets ACK Vladislav Marinov SYSLOG 16

17 Overview 1 SYSLOG Architecture 2 SYSLOG Content 3 SYSLOG Transport Mappings 4 SYSLOG-SIGN Vladislav Marinov SYSLOG 17

18 SYSLOG-SIGN [3] Originators and collectors exchnange certificate and public key information as structured data carried over SYSLOG messages (certificate blocks) The SD-ID of certificate blocks is ssign-cert Originators create and store hashes of previously sent messages Occasionally originators send the collection of hashes as structured data carried over SYSLOG messages to the collectors (signature blocks) The SD-ID of signature blocks is ssign Messages carrying hashes are also signed by the originator to protect message integrity Vladislav Marinov SYSLOG 18

19 SYSLOG-SIGN When the collector receives the hashes from the signature blocks it can validate the previously received SYSLOG messages SYSLOG-SIGN solves the SYSLOG/UDP security problems Message Authenticity Message Replay Reliable Delivery Sequenced Delivery Message Integrity Message observation is still possible since the information is carried in plain text Message truncation will render the algorithm unusable Vladislav Marinov SYSLOG 19

20 Conclusion SYSLOG is an event notification management protocol the content of which can be easily extended Simply define new structured data elements SYSLOG allows various transport mappings SYSLOG usually runs over UDP (required mapping) SYSLOG over TLS (recommended transport) - security at the transport layer SYSLOG-SIGN - security at the application layer Vladislav Marinov SYSLOG 20

21 References A.Okmianski. Transmission of syslog messages over UDP. Internet Draft (work in progress) <draft-ietf-syslog-transport-udp-12>, Cisco Systems, Y.Ma F.Miao. TLS Transport Mapping for Syslog. Internet Draft (work in progress) < draft-ietf-syslog-transport-tls-11.tx>, Huawei Technologies, November A. Clemm J. Kelsey, J. Callas. Signed syslog Messages. Internet Draft (work in progress) <draft-ietf-syslog-sign-23.txt>, NIST, PGP Corporation, Cisco Systems, R.Gerhards. The Syslog Protocol. Internet Draft (work in progress) <draft-ietf-syslog-protocol-23>, Adiscon GmbH, Vladislav Marinov SYSLOG 21