Syslog logging

yule (version 1.2.8+) can listen on port 514/udp to collect reports from syslog clients. This must be enabled by using the --enable-udp configure option when compiling. In addition, in the Misc section of the configuration file, you must set the option SetUDPActive=yes.

This option requires to run yule either as root, or as SUID root. For security, yule will drop root privileges irrevocably immediately after binding to port 514/udp. It will assume the credentials of some compiled-in user. The default is 'nobody', but you should probably change this with the --enable-identity=NAMEX option. Daemons should run as a dedicated user, not as 'nobody'.

NoteNOTE
 

Note that in this case you cannot use a privileged port (< 1024) for the samhain client(s) because yule does not have root privileges anymore when binding to that port. The default is 49777, which causes no problem.