PSMD
Passive syslog monitor daemon (psmd) can be found on SourceForge.
What is psmd?
psmd is short for passive syslog monitor daemon. psmd listens on
an interface and writes the syslog messages that it sees to disk along
with a hash. In addition, it can forward system messages to
another system as though the messages came from the original device.
Why use it?
I wrote psmd to solve a problem. I wanted to record all the
syslog traffic on a DMZ when I did not control the systems on the DMZ
or the logging hosts that the systems were sending traffic to.
After the third security event where I was unable to get good syslog
data from one of these hosts due to a disk full condition on a central
logging server, I wrote this tool and started running it on a mirrored
switch port in the DMZ. This not only gave me the log data that I
needed on a system that I controlled (and would not run out of disk
space), it also gave me all the syslog messages regardless of the
destination host. This also allowed me to get syslog messages
before a non-rfc compliant syslog relay obscured or mangled any part of
the message.
More details can be found in the README and INSTALL files which are included in the distribution.
What is in the works?
Thanks to a friend with a nasty habit of making feature suggestions, I
am working on a automated tokenizer and storage system to allow logs to
be stored in a very compressed format. In addition, this new
functionality is a launch pad to providing some anomaly detection.
Please report issues to webmaster@uberadmin.com
02156 hits since September 23, 2007
Last updated: 2006-10-26 @ 8:06am