Passive Syslog Monitor Daemon (PSMD)



HOME

SCRIPTS

PROJECTS

READING

CV

View Ron Dilley's profile on LinkedIn




Passive syslog monitor daemon (psmd) can be found on SourceForge.

What is psmd?

psmd is short for passive syslog monitor daemon.  psmd listens on an interface and writes the syslog messages that it sees to disk along with a hash.  In addition, it can forward system messages to another system as though the messages came from the original device.

Why use it?

I wrote psmd to solve a problem.  I wanted to record all the syslog traffic on a DMZ when I did not control the systems on the DMZ or the logging hosts that the systems were sending traffic to.  After the third security event where I was unable to get good syslog data from one of these hosts due to a disk full condition on a central logging server, I wrote this tool and started running it on a mirrored switch port in the DMZ.  This not only gave me the log data that I needed on a system that I controlled (and would not run out of disk space), it also gave me all the syslog messages regardless of the destination host.  This also allowed me to get syslog messages before a non-rfc compliant syslog relay obscured or mangled any part of the message.

More details can be found in the README and INSTALL files which are included in the distribution.

What is in the works?

Thanks to a friend with a nasty habit of making feature suggestions, I am working on a automated tokenizer and storage system to allow logs to be stored in a very compressed format.  In addition, this new functionality is a launch pad to providing some anomaly detection.


Please report issues to webmaster@uberadmin.com

Last updated: 2011-10-29 @ 11:44am