[syslog-ng] Advice on keeping hostnames/using dns
Philip Webster
p.webster at qut.edu.au
Thu Dec 7 00:52:35 CET 2006
G'day Hari,
Hari Sekhon wrote on 11/13/2006 10:37 PM:
> Hi,
>
> I'd like some advice on what I should do on my logserver regarding
> hostnames.
>
> I've currently got
>
> keep_hostnames(no)
> use_dns(yes)
>
> in order to get accurate and consistent hostnames but I'd like to
> consider just skipping the whole dns check rewriting thing and use
>
> keep_hostnames(yes)
> use_dns(no)
>
> The only issue I can see from this is that the hostname gets logged
> according to the packet. I'm reasonably confident that most machines
> will report the right name in their logs to the logserver but I also
> think that it makes it all too possible to screw up the logserver
> maliciously since any old junk that is sent to the port is put into the
> logs so you could hammer the integrity of the logs just by sending loads
> of bogus logs from a machine with the name set to that of any other
> machine on the network.
I've seen some Unix systems where things like SCSI errors get logged with the
hostname as "SCSI", etc. So unless the remote systems are well-behaved you
may end up not being able to identify where the log came from.
As for malicious names in the messages - if you accepting UDP logs then its
quite simple to send a UDP syslog packet with a spoofed source IP address, so
DNS lookups aren't going to help you there.
Cheers
Phil
--
Philip Webster
IT Security Engineer Ph: +61 7 3138 9537
Information Technology Services Fx: +61 7 3138 2921
Queensland University of Technology Mb: 0411 653 313 (QUT: #6 6035)
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x393FF3E3
Fingerprint: 0CD0 640F 35A6 A1C6 ACE3 E107 4F6C AF1A 393F F3E3
More information about the syslog-ng
mailing list