i have setup a log server with splunk running on it. i pinged one of the clients using backtrack....Does this also genrate log which is sent the log server??????
I wanted to detect port scanning ...on any clients ..How to do it???
The client is ubuntu machine and so is the server i.e the syslog server
It depends on the firewall on the clients, you don't even mention the OS involved let along what it is you're pinging but certainly it would be possible to setup some OS's firewalls to syslog on port access attempts/denies.
That said this isn't a particularly good way of going about doing what, I think, you want. If you want to see if any machine on the inside of your network is port-scanning and have no switch/router-based way of doing this then go ahead and do what you want with firewalls, syslogs and splunk but if you're expecting port-scans to come in from a different network then you only need to look at the ingress port/s, which would be much easier.
Perhaps come back to us with much more information and we may be able to be clearer.
Syslog is a means for recording data, and Splunk is a means for parsing and searching data. Neither is designed for detecting security events like a port scan.
To detect security events, you need software usually called an "IDS" - Intrusion Detection System. That IDS will need a network interface that sees all the traffic you hope to watch. That's either a mirrored port on a managed switch or any port on a hub.
Attach a network intrusion detection sniffer like Snort to the monitoring port. Create rules to watch for port scanning attempts. Dump the IDS output to Splunk for analysis via syslog.
