[syslog-ng] Controlling Logging to Central Syslog-ng Server, DoS etc

Kevin kkadow at gmail.com
Fri Sep 22 19:47:12 CEST 2006

On 9/22/06, Hari Sekhon <hpsekhon at googlemail.com> wrote:
>  nate wrote:
>  On Fri, Sep 22, 2006 at 03:18:50PM +0100, Hari Sekhon wrote:
>  After all, you couldn't somebody just write a loop to send garbage to it
> and fill the whole machine up, not to mention drown out all other valid
> logs so you miss any important events (oops, I am giving away too much
> here?). I'm actually tempted to write an attack for this right now...

It's been done.  Code is out there.

  >  One possibility is that you could try and surpass syslog protocol by
> allowing only syslog-ng tcp connections and providing some authentication
> mechanism like certificates or keys or something, like ssh keys or some
> other public private certificate system. Although the overhead will be
> considerable, both in machine terms and humans admin terms, but I can't
> think of any other way of really doing this at the moment.

For very low volume logs, I've installed syslog-ng and stunnel on both
the source and destination machines, and bound the TCP sockets to
127.0.01 on the sending and receiving machines, so all syslog goes via
the tunnel.

Tricky part is getting stunnel's "transparent mode" to work so
syslog-ng sees the connection as coming from the real source, not from

>  Perhaps instead of the connection being authenticated, the packets
> themselves could be signed, although I'm no cryptography expert to
> know how secure that would be against forgery.

There are a couple of options to address this without changing syslog-ng:

1) You can turn on IPSEC on the source machines and the syslog server,
and then you can even take in UDP packets.
2) As of OpenSSH version 4.3, you can tunnel UDP packets through SSH.

>  I feel that it would be a huge and difficult task to add serious security
> to syslog-ng beyond this.

I feel it would be a small and easy task to add SSL support to
syslog-ng for TCP connections, just link against OpenSSL and add a few
new options for tcp() sources.


More information about the syslog-ng mailing list