The purpose of the LBNL Central Syslog Server project is to centrally aggregate information about host activity available via syslog as a resource to help the Computer Protection Program (CPP) prevent and mitigate damage from security incidents. Large parts of the Internet, including LBNL, have been experiencing attacks in which account credentials (username and password) are stolen, typically when a user logs into a secure host from a compromised host. Once the credentials are stolen, the attacker(s) then access the secure host and attempt to compromise it, often successfully. This process is then repeated on the newly compromised host; this has been a very successful methodology for attackers. What makes the attack particularly difficult to defend against is that all of this is done over an encrypted channel (SSH) so the activity cannot be monitored. Anytime your host records syslog information, it will be sent to the central syslog server in addition to your local syslog files.
For more information on syslog, go to the CPP’s LBNL Central Syslog Server page (Intranet).
For technical support, please call the IT Help Desk at 486-4357 or go to the IT Helpdesk Web site.