Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.





Goto Port 513
Probe Port 514
Enter Port: 0-65535
Goto Port 515



Port Authority Database

Port 514

Name: 
syslog

Purpose: 
Remote system event logging

Description: 
A syslog server opens port 514 and listens for incoming syslog event notifications (carried by UDP protocol packets) generated by remote syslog clients. Any number of client devices can be programmed to send syslog event messages to whatever servers they choose.

Related Ports: 
-




Background and Additional Information:

Syslog is the Internet's most common and ubiquitous network event logging protocol. Most, if not all, high-end commercial network equipment can be configured to send various classes of syslog messages to listening syslog servers. Network management personnel depend heavily upon syslog messages to inform them of problems and events throughout their networks.

Recently, many small business and residential network appliances, such as NAT routers, have added syslog message logging capabilities. Such devices can be configured to generate and send syslog messages to computers within their local network. These message logs can alert and detail occurrences on the outside WAN interface of the router, such as the unsolicited traffic which has been ignored and dropped by the router (after first being logged.)

Security Implications

Since syslog's port 514 operates with UDP protocol and receives messages silently (returning no confirmation of their receipt), an open syslog port is not readily visible. The two potential vulnerabilities of exposing a syslog server to the Internet exist: The first would be someone determining that an exposed syslog service was present and maliciously flooding that log with erroneous messages. Secondarily, if the specific syslog server in use was known to have exploitable security vulnerabilities, those could be exploited by random Internet-wide scans. For these reasons, and since syslog is generally only used within controlled, local network boundaries, corporate and ISP networks may wish to block incoming UDP traffic destined to port 514 of any internal machines.

Syslog informational RFC:

  http://www.ietf.org/rfc/rfc3164.txt

  http://www.faqs.org/rfcs/rfc3164.html

Trojan Sightings: RPC Backdoor

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2020 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page