[syslog-ng]replacing part of prog name with hostname

Balazs Scheidler bazsi@balabit.hu
Fri, 3 Jan 2003 12:13:20 +0100


On Fri, Jan 03, 2003 at 05:03:03AM -0500, Noam Meltzer wrote:
>  I won't expect Sun to change their native syslogd. Their syslogd is
> working good in its native environment, and its "harmonic" with other
> native syslogd is evry good. For me it doesn't seem like a bug. Just
> another mechanism. 

It is not Solaris's syslogd that has the bug. It's ctld which sends bogus
data in its messages.

>                    Solaris' syslogd recognize the hostname by doing
> reverse-resolution for each packet. And I don't think it's such a bad
> idea. The current mechanism of syslog-ng is trying to run some regexp on
> the data string (If I understood you correctly). I believe that the
> Solaris mechanism is more secure because that way you know for sure that
> the originating IP is who it claims to be. (Yes, you can always hijack
> (hope i spelled this correct) an IP in the network, but I guess that in
> that case you have other trouble). In syslog-ng mechanism, some1 can
> inject you fake logs. (I don't know what good it can give an attacker...
> but I'm sure that some criminal mind can find what to do with this).

in keep_hostname(no) state, syslog-ng does not trust the host name in any
way. but this interacts badly with ctld.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1