[syslog-ng] [PATCH] anonymizing filter

Balazs Scheidler bazsi at balabit.hu
Mon Dec 3 11:49:51 CET 2007


On Fri, 2007-11-30 at 14:03 -0500, Micah Anderson wrote:
> Hello,
> 
> A couple years ago this patch was submitted to the list for
> consideration for inclusion into syslog-ng. I am writing this email
> again to request that it be considered again. The patch provides a
> simple replace which enables you to strip out IP addresses from your
> logs before they are written to disk. The patch has been included in the
> Debian stable distribution, and currently is included in both Debian Sid
> and Lenny (unstable and testing). It has had a very wide testing base
> and is non-intrusive, it has existed since 2004 and has been adapted to
> work with the newer syslog-ng. The goal of this patch is to give an
> organization the means to implement site logging policies, by allowing
> for easy control over exactly what data is retained in the logfiles.
> 
> When I first requested consideration for inclusion the reactions were
> some suggestions for improvement (which were done), some side
> discussions about the various states of data retention laws, and a
> general agreement that this patch is non-intrusive and had a valid use
> case (at least in the U.S., but also likely in other countries as
> well[0]).
> 
> The side-discussions about data-retention laws were mostly around
> specific geographic localities that were considering laws that would
> make stripping of addresses illegal, or had already mandated such
> things. Although these were interesting discussions, as EU data
> retention laws would prohibit many people from making such configuration
> changes to their syslog-ng.conf, they were tangential to the point
> because this patch does not cause those to break such laws.
> 
> On the other side of the pond, in the U.S., the EFF[1] has made it very
> clear that this mechanism of anonymizing logs is perfectly (a) legal in
> the U.S., and (b) advisable. There are many instances where it is
> preferable to keep less information on users than is collected by
> default on many systems. In the United States it is not currently
> required to retain data on users of a server, but you may be required to
> provide all data on a user which you have retained. OSPs can protect
> themselves from legal hassles and added work by choosing what data they
> wish to retain. The current climate in the U.S. makes this problem so
> much more important now than it was many years ago.
>  
> Having the ability to implement a site-policy that enables an
> organization to decide if the trade-off between privacy and analysis is
> worthwhile. This patch allows organizations to have that choice if they
> feel that it is more important to avoid retaining sensitive data rather
> than having a full history of everything logged.

I understand that the need is genuine and the feature this patch
provides is useful, but exactly as Evan wrote in his email, its
implementation is way out of the syslog-ng model. It uses filters to
rewrite parts of the message.



-- 
Bazsi



More information about the syslog-ng mailing list