[syslog-ng] Advice on keeping hostnames/using dns

Philip Webster p.webster at qut.edu.au
Thu Dec 7 00:52:35 CET 2006


G'day Hari,

Hari Sekhon wrote on 11/13/2006 10:37 PM:
> Hi,
> 
> I'd like some advice on what I should do on my logserver regarding
> hostnames.
> 
> I've currently got
> 
> keep_hostnames(no)
> use_dns(yes)
> 
> in order to get accurate and consistent hostnames but I'd like to
> consider just skipping the whole dns check rewriting thing and use
> 
> keep_hostnames(yes)
> use_dns(no)
>
> The only issue I can see from this is that the hostname gets logged
> according to the packet. I'm reasonably confident that most machines
> will report the right name in their logs to the logserver but I also
> think that it makes it all too possible to screw up the logserver
> maliciously since any old junk that is sent to the port is put into the
> logs so you could hammer the integrity of the logs just by sending loads
> of bogus logs from a machine with the name set to that of any other
> machine on the network.

I've seen some Unix systems where things like SCSI errors get logged with the
hostname as "SCSI", etc.  So unless the remote systems are well-behaved you
may end up not being able to identify where the log came from.

As for malicious names in the messages - if you accepting UDP logs then its
quite simple to send a UDP syslog packet with a spoofed source IP address, so
DNS lookups aren't going to help you there.

Cheers
Phil

-- 

Philip Webster
IT Security Engineer                  Ph: +61 7 3138 9537
Information Technology Services       Fx: +61 7 3138 2921
Queensland University of Technology   Mb:  0411 653  313  (QUT: #6 6035)

PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x393FF3E3
Fingerprint: 0CD0 640F 35A6 A1C6 ACE3  E107 4F6C AF1A 393F F3E3



More information about the syslog-ng mailing list