Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fleming
Advisor

SMP Portal configuring remote syslog hosts

So this seems.. odd.. I signed up my 1550 into the SMP portal, which i'm not sure if i'm digging so far but thats another story.

I was poking around in syslog configuration and ran across this.

 

$ModLoad imuxsock.so
$LocalHostName |stuff|
$DefaultNetstreamDriverCAFile /opt/fw1/bin/ca-bundle.crt
$ActionSendStreamDriver ossl
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.Syslog
$template format,"%$YEAR% %timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogpriority-text% %programname%: %msg%\n"
$outchannel msg_rotation,/var/log/messages, 204800,/pfrm2.0/bin/log_gzip.sh /var/log/messages
$outchannel ntf_rotation,/logs/notifications, 204800,/pfrm2.0/bin/log_gzip.sh /logs/notifications
*.info;mail.!* :omfile:$msg_rotation;format
mail.info :omfile:$ntf_rotation;format
*.info;mail.!* @mysyslogserver:514
*.info;mail.!* @209.87.212.13:514
*.info;mail.!* @209.87.212.16:514
*.info;mail.!* @209.87.212.14:514
*.info;mail.!* @209.87.212.15:514
*.info;mail.!* @209.87.222.192:514

 

I never configured the firewall to send syslog events to those addresses. I get the need for logs but OS logs? Again maybe its part of SMP and thats fine I guess.. but udp syslog? That just seems a bit strange. I sure hope there is some dynamic filtering going on and that those addresses aren't just open to the public at large.

0 Kudos
1 Reply
John_Fleming
Advisor

oh and.. uh.. the default gaia web portal is enabled on those. Again seems.. um.. strange. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events