thanks, looks like I'm keeping hostname re-writing using dns... -h Hari Sekhon Philip Webster wrote:
G'day Hari,
Hari Sekhon wrote on 11/13/2006 10:37 PM:
Hi,
I'd like some advice on what I should do on my logserver regarding hostnames.
I've currently got
keep_hostnames(no) use_dns(yes)
in order to get accurate and consistent hostnames but I'd like to consider just skipping the whole dns check rewriting thing and use
keep_hostnames(yes) use_dns(no)
The only issue I can see from this is that the hostname gets logged according to the packet. I'm reasonably confident that most machines will report the right name in their logs to the logserver but I also think that it makes it all too possible to screw up the logserver maliciously since any old junk that is sent to the port is put into the logs so you could hammer the integrity of the logs just by sending loads of bogus logs from a machine with the name set to that of any other machine on the network.
I've seen some Unix systems where things like SCSI errors get logged with the hostname as "SCSI", etc. So unless the remote systems are well-behaved you may end up not being able to identify where the log came from.
As for malicious names in the messages - if you accepting UDP logs then its quite simple to send a UDP syslog packet with a spoofed source IP address, so DNS lookups aren't going to help you there.
Cheers Phil