[syslog-ng] Securing syslog-ng

Gergely Nagy algernon at balabit.hu
Sat Jul 9 23:34:23 CEST 2011


Martin Holste <mcholste at gmail.com> writes:

> Either use Syslog-NG Premium Edition with SSL transport or setup
> OpenVPN (or any other VPN) for the transport.

You don't neccessarily need PE for SSL. syslog-ng 3.2 OSE supports TLS
aswell, at least according to the documentation.

I only have the sources for 3.3 at hand, and that includes TLS support
for sure.

> It is a very bad idea to let anyone write logs to your system from the
> Internet.  At the absolute minimum, use a firewall or iptables to only
> allow known-hosts to send logs.  That's still poor protection if
> you're allowing UDP, as UDP can be spoofed.

Either a VPN or syslog-ng's built in TLS support works like a
charm. Although if one needs to use UDP for some reason, then VPN is
pretty much the only option.

The advantage of using syslog-ng's built-in TLS support over a VPN is
that it's a single service. If an attacker gains root on a client, the
best he can do is send fake logs. If he had control over that side of
the VPN, that'd open up a few more possibilities (unless guarded
against.. but then it's easier to use syslog-ng :P).

-- 
|8]



More information about the syslog-ng mailing list