Syslog Security Considerations; Message Forgery - 3Com 3C10402B Administrator's Manual

402 C 16: N
HAPTER ETWORK
Syslog Security
Considerations

Message Forgery

M
ANAGEMENT
the CONTENT field. Traditionally, however, only the hostname has been
included in the HOSTNAME field.
Originating Process Information in MSG
You might want to include some information about the process on the
device that generated the message. This information usually consists of
the process name and process ID (often known as the
applications. The process name is commonly displayed in the TAG field.
Quite often, additional information is included at the beginning of the
CONTENT field. The format
TAG [PID]:
is common. The left square bracket is used to terminate the TAG field in
this case, and is then the first character in the CONTENT field. If the
process ID is not needed, it may be omitted.
In that case, a colon and a space character usually follow the TAG. This
would be displayed as
the CONTENT field.
The Syslog process places Event Notification messages into files on that
system. This process relies upon the integrity of the system for the
protection of the messages. Be aware that event messages might be sent
accidentally, erroneously, and even maliciously. Since Syslog is a relatively
simple protocol, its operations are not secure to the point where its
integrity is robust.
An attacker might transmit Syslog messages (either from the machine
from which the messages are purportedly sent or from any other
machine) to a collector. In one case, an attacker might hide the true
nature of an attack amidst many other messages.
As an example, an attacker might start generating forged messages
indicating a problem on some machine. This might get the attention of
the system administrators who spend time investigating the alleged
problem. During this time, the attacker might be able to compromise a
different machine, or a different process on the same machine.
. In that case, the colon is the first character in
TAG:
) for robust
pid