syslog is used to manage log messages in a centralized way. syslog got its start as a way of centrally recording messages for a set of UNIX machines, but many network devices (routers, hubs, etc.) now use syslog to report status and usage information. Such devices often don't even have a way to record this information locally, because they don't have any writable storage media; if you want to know what they're reporting, something has to be listening to their syslog messages.
Attackers will often attempt to flood a site's syslog server in order to cover their tracks, so that the server runs out of disk space and stops logging new messages, or so that the evidence of their activities is lost in the noise.
syslog is a UDP-based service. syslog servers (which record messages logged by other systems) listen on UDP port 514. syslog clients generally (but not always) use ports above 1023 to talk to servers. syslog servers never send messages back to clients. syslog servers can be configured to pass messages along to other syslog servers; in such cases, the sending server generally uses port 514 as the client port.
Direc- | Source | Dest. | Pro- | Source | Dest. | ACK | |
---|---|---|---|---|---|---|---|
tion | Addr. | Addr. | tocol | Port | Port | Set | Notes |
In | Ext | Int | UDP | >1023[41] | 514 | [42] | External client contacting internal syslog server |
Out | Int | Ext | UDP | >1023[41] | 514 | [42] | Internal client contacting external syslog server |
In | Ext | Int | UDP | 514 | 514 | [42] | External syslog server passing message to internal syslog server |
Out | Int | Ext | UDP | 514 | 514 | [42] | Internal syslog server passing message to external syslog server |
[41] Some syslog clients sometimes use ports below 1024.
[42] UDP packets do not have ACK bits.
syslog is a self-proxying protocol; that is, syslog servers can generally be configured to simply pass messages they receive on to other syslog servers.
Do not allow syslog in from the outside world. In this way, you'll prevent attackers from attempting to flood your syslog servers.