G'day Hari, Hari Sekhon wrote on 11/13/2006 10:37 PM:
Hi,
I'd like some advice on what I should do on my logserver regarding hostnames.
I've currently got
keep_hostnames(no) use_dns(yes)
in order to get accurate and consistent hostnames but I'd like to consider just skipping the whole dns check rewriting thing and use
keep_hostnames(yes) use_dns(no)
The only issue I can see from this is that the hostname gets logged according to the packet. I'm reasonably confident that most machines will report the right name in their logs to the logserver but I also think that it makes it all too possible to screw up the logserver maliciously since any old junk that is sent to the port is put into the logs so you could hammer the integrity of the logs just by sending loads of bogus logs from a machine with the name set to that of any other machine on the network.
I've seen some Unix systems where things like SCSI errors get logged with the hostname as "SCSI", etc. So unless the remote systems are well-behaved you may end up not being able to identify where the log came from. As for malicious names in the messages - if you accepting UDP logs then its quite simple to send a UDP syslog packet with a spoofed source IP address, so DNS lookups aren't going to help you there. Cheers Phil -- Philip Webster IT Security Engineer Ph: +61 7 3138 9537 Information Technology Services Fx: +61 7 3138 2921 Queensland University of Technology Mb: 0411 653 313 (QUT: #6 6035) PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x393FF3E3 Fingerprint: 0CD0 640F 35A6 A1C6 ACE3 E107 4F6C AF1A 393F F3E3