[syslog-ng] [PATCH] anonymizing filter

William Pitcock nenolod at sacredspiral.co.uk
Fri Nov 30 21:04:52 CET 2007 

Hi,

As someone who operates systems where privacy is desired by their users,
I have found this patch very useful. Infact, I found it so useful, that
I did the initial port of this patch to syslog-ng 2.

I was told things when I submitted it like "well, all of those apps you
use should strip the data instead". It is very inconvenient (and if you
use commercial software, impossible) to patch a bunch of daemons (the
average server can have 30 or more daemons running!) when instead you
can strip the information out in the log instead.

Other people told me things like "well, why do they need privacy?
clearly they are doing something _wrong_ if they need privacy," and
well, that's not the case either. Besides the rationale that Micah
mentioned for this patch, consider the case where a system gets
compromised by spammers (ok, really, this shouldn't happen, but in
reality, it does - usually due to upstream vendors not getting patches
out in time), the syslogs commonly contain e-mail traffic information,
which may not be desirable in the hands of spammers. Having the option
to implement a policy which avoids retaining data would also have the
benefit of avoiding a situation like the one I describe.

At a minimum, I would suggest providing a pointer to this patch. Also,
on another note, Debian has included this patch for some time, which
means that it's theoretically proven to be reliable.

William

On Fri, 2007-11-30 at 14:03 -0500, Micah Anderson wrote:
> Hello,
> 
> A couple years ago this patch was submitted to the list for
> consideration for inclusion into syslog-ng. I am writing this email
> again to request that it be considered again. The patch provides a
> simple replace which enables you to strip out IP addresses from your
> logs before they are written to disk. The patch has been included in the
> Debian stable distribution, and currently is included in both Debian Sid
> and Lenny (unstable and testing). It has had a very wide testing base
> and is non-intrusive, it has existed since 2004 and has been adapted to
> work with the newer syslog-ng. The goal of this patch is to give an
> organization the means to implement site logging policies, by allowing
> for easy control over exactly what data is retained in the logfiles.
> 
> When I first requested consideration for inclusion the reactions were
> some suggestions for improvement (which were done), some side
> discussions about the various states of data retention laws, and a
> general agreement that this patch is non-intrusive and had a valid use
> case (at least in the U.S., but also likely in other countries as
> well[0]).
> 
> The side-discussions about data-retention laws were mostly around
> specific geographic localities that were considering laws that would
> make stripping of addresses illegal, or had already mandated such
> things. Although these were interesting discussions, as EU data
> retention laws would prohibit many people from making such configuration
> changes to their syslog-ng.conf, they were tangential to the point
> because this patch does not cause those to break such laws.
> 
> On the other side of the pond, in the U.S., the EFF[1] has made it very
> clear that this mechanism of anonymizing logs is perfectly (a) legal in
> the U.S., and (b) advisable. There are many instances where it is
> preferable to keep less information on users than is collected by
> default on many systems. In the United States it is not currently
> required to retain data on users of a server, but you may be required to
> provide all data on a user which you have retained. OSPs can protect
> themselves from legal hassles and added work by choosing what data they
> wish to retain. The current climate in the U.S. makes this problem so
> much more important now than it was many years ago.
>  
> Having the ability to implement a site-policy that enables an
> organization to decide if the trade-off between privacy and analysis is
> worthwhile. This patch allows organizations to have that choice if they
> feel that it is more important to avoid retaining sensitive data rather
> than having a full history of everything logged.
> 
> Please accept this patch[2],
> Micah
> 
> [0] EPIC International Data Retention Page 
> http://www.epic.org/privacy/intl/data_retention.html
> 
> [1] The EFF is the major civil liberties internet watchdog in the
> US, their "Best Practices for Online Service Providers" can be found
> here: http://www.eff.org/osp, they explicitly link to our patch as a
> recommendation
> 
> [2] The latest patch can be found at
> https://code.autistici.org/trac/privacy/browser/trunk/syslog-ng
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20071130/5c025460/attachment.pgp

More information about the syslog-ng mailing list