12. Syslog logging

yule (version 1.2.8+) can listen on port 514/udp to collect reports from syslog clients. This must be enabled by using the --enable-udp configure option when compiling. In addition, in the Misc section of the configuration file, you must set the option SetUDPActive= yes .

This option requires to run yule either as root, or as SUID root. For security, yule will drop root privileges irrevocably immediately after binding to port 514/udp. It will assume the credentials of some compiled-in user. The default is 'yule', 'daemon', or 'nobody' (i.e. the first of these that exists on your system). You can override this with the --enable-identity= USER option. Note that each daemon should have its own user/group, such that an exploit will not give write access to files owned by other daemons.