[syslog-ng] Advice on keeping hostnames/using dns
Hari Sekhon
hpsekhon at googlemail.com
Thu Dec 7 11:04:07 CET 2006
thanks, looks like I'm keeping hostname re-writing using dns...
-h
Hari Sekhon
Philip Webster wrote:
> G'day Hari,
>
> Hari Sekhon wrote on 11/13/2006 10:37 PM:
>
>> Hi,
>>
>> I'd like some advice on what I should do on my logserver regarding
>> hostnames.
>>
>> I've currently got
>>
>> keep_hostnames(no)
>> use_dns(yes)
>>
>> in order to get accurate and consistent hostnames but I'd like to
>> consider just skipping the whole dns check rewriting thing and use
>>
>> keep_hostnames(yes)
>> use_dns(no)
>>
>> The only issue I can see from this is that the hostname gets logged
>> according to the packet. I'm reasonably confident that most machines
>> will report the right name in their logs to the logserver but I also
>> think that it makes it all too possible to screw up the logserver
>> maliciously since any old junk that is sent to the port is put into the
>> logs so you could hammer the integrity of the logs just by sending loads
>> of bogus logs from a machine with the name set to that of any other
>> machine on the network.
>>
>
> I've seen some Unix systems where things like SCSI errors get logged with the
> hostname as "SCSI", etc. So unless the remote systems are well-behaved you
> may end up not being able to identify where the log came from.
>
> As for malicious names in the messages - if you accepting UDP logs then its
> quite simple to send a UDP syslog packet with a spoofed source IP address, so
> DNS lookups aren't going to help you there.
>
> Cheers
> Phil
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20061207/c1d42700/attachment.htm
More information about the syslog-ng
mailing list