Hello sysloggers, Forgive my ignorance and lack of mailing list experience - I failed to figure out how to dig for information in the archives, and could find nothing in the docs. Please give some links to the archive search, or to archive FAQ, if any exist. I am responsible for monitoring and audit log collection in a very sensitive project. No cleartext communication is allowed between any nodes. Log collection server will be a Solaris based cluster (Veritas or SC or homegrown failover/loadalancing method) Under certain circumstances, tunnelling the traffic may introduce more than prevent vulnerabilities, specifically, by hiding the traffic from firewals and local packet filters. Therefore, an ideal solution for syslog so far looks like numbering and encrypting/signing each individual syslog message (obviously, on the fly, to prevent local tampering), and broadcast it to the syslog subnet for stealth pickup by both nodes of the syslog cluster. Is it something that can be acieved using syslog-ng, or the effort of building the relevant extentions for syslog-ng and to a vanilla Solaris syslog is equal? Many thanks in advance for any pointers, hints and suggestions Regards, Andrei
Hi, Andy <aryzhov@spasu.net> [20070301 13:20:09 +0100]:
Hello sysloggers,
Forgive my ignorance and lack of mailing list experience - I failed to figure out how to dig for information in the archives, and could find nothing in the docs.
Please give some links to the archive search, or to archive FAQ, if any exist.
I am responsible for monitoring and audit log collection in a very sensitive project. No cleartext communication is allowed between any nodes. Log collection server will be a Solaris based cluster (Veritas or SC or homegrown failover/loadalancing method)
Use IPSec to secure your communications from client to server where possible.
Under certain circumstances, tunnelling the traffic may introduce more than prevent vulnerabilities, specifically, by hiding the traffic from firewals and local packet filters.
Therefore, an ideal solution for syslog so far looks like numbering and encrypting/signing each individual syslog message (obviously, on the fly, to prevent local tampering), and broadcast it to the syslog subnet for stealth pickup by both nodes of the syslog cluster.
A lot of operating systems support IPSec which is something that can operate without syslog-ng being aware that its taking place.
Is it something that can be acieved using syslog-ng, or the effort of building the relevant extentions for syslog-ng and to a vanilla Solaris syslog is equal?
Its not so much "can syslog-ng support this ever" (which it does not) but really a case of if your syslog sources can. Cheers Alex
Many thanks in advance for any pointers, hints and suggestions Regards, Andrei
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Thu, 2007-03-01 at 13:20 +0100, Andy wrote:
Hello sysloggers,
Forgive my ignorance and lack of mailing list experience - I failed to figure out how to dig for information in the archives, and could find nothing in the docs.
Please give some links to the archive search, or to archive FAQ, if any exist.
I am responsible for monitoring and audit log collection in a very sensitive project. No cleartext communication is allowed between any nodes. Log collection server will be a Solaris based cluster (Veritas or SC or homegrown failover/loadalancing method)
Under certain circumstances, tunnelling the traffic may introduce more than prevent vulnerabilities, specifically, by hiding the traffic from firewals and local packet filters.
Therefore, an ideal solution for syslog so far looks like numbering and encrypting/signing each individual syslog message (obviously, on the fly, to prevent local tampering), and broadcast it to the syslog subnet for stealth pickup by both nodes of the syslog cluster.
Is it something that can be acieved using syslog-ng, or the effort of building the relevant extentions for syslog-ng and to a vanilla Solaris syslog is equal?
This is not currently possible and I'm afraid it might be difficult, unless using fixed keying (the syslog protocol is unidirectional, so key exchange is not possible). I would use TLS instead of IPSec, in which case you can screen the traffic by port number on your firewalls (provided they are packet filtering firewalls, which are unable to decrypt TLS traffic). The GPL version of syslog-ng does not have built in TLS support, however: 1) you can wrap syslog traffic via stunnel 2) you can wait (a little) for our not-yet-announced commercial syslog-ng version which does. -- Bazsi
participants (3)
-
Alexander Clouter
-
Andy
-
Balazs Scheidler