[syslog-ng] ? Message encryption

Balazs Scheidler bazsi at balabit.hu
Fri Mar 2 14:25:27 CET 2007


On Thu, 2007-03-01 at 13:20 +0100, Andy wrote:
> Hello sysloggers, 
> 
> Forgive my ignorance and lack of mailing list experience - 
> I failed to figure out how to dig for information in the 
> archives, and could find nothing in the docs.
> 
> Please give some links to the archive search, or to archive 
> FAQ, if any exist.
> 
> I am responsible for monitoring and audit log collection 
> in a very sensitive project. No cleartext communication 
> is allowed between any nodes. Log collection server 
> will be a Solaris based cluster (Veritas or SC 
> or homegrown failover/loadalancing method) 
> 
> Under certain circumstances, tunnelling the traffic may 
> introduce more than prevent vulnerabilities, specifically,
> by hiding the traffic from firewals and local packet filters. 
> 
> Therefore, an ideal solution for syslog so far looks like
> numbering and encrypting/signing each individual syslog message 
> (obviously, on the fly, to prevent local tampering), and 
> broadcast it to the syslog subnet for stealth pickup by both 
> nodes of the syslog cluster.
> 
> Is it something that can be acieved using syslog-ng, or the 
> effort of building the relevant extentions for syslog-ng and to 
> a vanilla Solaris syslog is equal? 

This is not currently possible and I'm afraid it might be difficult,
unless using fixed keying (the syslog protocol is unidirectional, so key
exchange is not possible).

I would use TLS instead of IPSec, in which case you can screen the
traffic by port number on your firewalls (provided they are packet
filtering firewalls, which are unable to decrypt TLS traffic).

The GPL version of syslog-ng does not have built in TLS support,
however:
 1) you can wrap syslog traffic via stunnel
 2) you can wait (a little) for our not-yet-announced commercial
syslog-ng version which does.

-- 
Bazsi



More information about the syslog-ng mailing list