Samhain | ||
---|---|---|
<<< Previous | yule, the log server | Next >>> |
yule (version 1.2.8+) can listen on port 514/udp to collect reports from syslog clients. This must be enabled by using the --enable-udp configure option when compiling. In addition, in the Misc section of the configuration file, you must set the option SetUDPActive=yes.
This option requires to run yule either as root, or as SUID root. For security, yule will drop root privileges irrevocably immediately after binding to port 514/udp. It will assume the credentials of some compiled-in user. The default is 'yule', 'daemon', or 'nobody' (i.e. the first of these that exists on your system). You can override this with the --enable-identity=USER option. Note that each daemon should have its own user/group, such that an exploit will give write access to files owned by other daemons.
<<< Previous | Home | Next >>> |
Sending commands to clients | Up | Performance tuning |