SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

passlogd v0.1f - passive syslog capture daemon copyright (c) 2005 - christian void <cvoid@morphine.com>

license

passlogd is released under a BSD style license. please see the file LICENSE for more information. portions of passlogd are taken from the angst active sniffer by patroklos argyroudis <argp@bsd.gr>.

description

passlogd is a purpose-built sniffer for capturing syslog messages in transit. this allows for backup logging to be performed on a machine with no open ports.

changes

please see the file CHANGES for information about changes from previous releases.

building and installing

in a perfect world, you should be able to just run: 

        make
        cp ./passlogd /path/to/where/you/want/it

libpcap is required for building. as of now, it is known to compile under linux (slackware 7.1) and openbsd (2.9), but your mileage may vary. this is an alpha release. eventually, i plan on rewriting this total hack from the ground up and making sure it builds on all the useful platforms (netbsd, freebsd, linux, solaris, etc).

features and options

passlogd supports the following command line options: 

  -h            display this message
  -s            log captured messages to local syslog
  -r            reverse lookup ip addresses
  -d            debug mode
  -i<ipaddr>    ignore packets from <ipaddr>
  -p<port>      listen for syslog packets to <port> (default: 514)

-e<interface> set the interface to listen on -f<filename> log to <filename> (default: /var/log/passlog) -S use syslog format in logfile

when executed with no options, passlogd logs to stdio. the log entries contain the source and destination addresses along with the actual syslog message captured. when saving captured data to a logfile with the -f option, or logging to stdio, the messages appear as follows:

Tue Jun 5 14:22:42 2001 bonsai to sponge: <36> su[877]: Authentication ... Tue Jun 5 14:22:42 2001 bonsai to sponge: <37> su[877]: - pts/0 cvoid-root Tue Jun 5 14:22:55 2001 bonsai to sponge: <36> su[878]: Authentication ... Tue Jun 5 14:22:55 2001 bonsai to sponge: <37> su[878]: - pts/0 cvoid-root

the -s option causes passlogd to pass captured messages off to the local syslog, attempting to use the priority found in the captured message.

the -f option causes passlogd to log all captured messages to a logfile. if no filename is specified, it defaults to /var/log/passlog.

the -i option can be used to mask out a single host whose syslog packets you do not want to see. this will eventually allow you to filter more than one address.

use -p to set the destination port that passlogd looks for to capture syslog messages. this is useful if you run syslog on a port other than 514.

the interface to use can be specified using -e. if no interface is specified, passlogd defaults to the first interface available.

reverse lookups can be enabled with the -r option. this is off by default as reverse lookups can cause performance problems.

the -d debug flag is pretty useless and should probably be removed. i'm just a bit too lazy.

the -S option forces passlogd to format logfile entries in syslog format.

acknowledgements

thanks to otto and skrod for the idea, and for help with proofing the distribution archive, and to patroklos argyroudis for the angst sniffer, portions of which i used as an example of how to use libpcap.

special thanks to robert tinsley and you dong-hun for providing fixes to the parser code.


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.