[loganalysis] Re: Central syslog server best practices?

• Previous message: Ron Russell: "[loganalysis] Re: Central syslog server best practices?"
• In reply to: Marlys A Nelson: "Re: Central syslog server best practices?"
• Next in thread: Nate Campi: "Re: [loganalysis] Re: Central syslog server best practices?"
• Next in thread: Matthew Jonkman: "Re: Central syslog server best practices?"
• Reply: Nate Campi: "Re: [loganalysis] Re: Central syslog server best practices?"
• Reply: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
• Reply: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 05:36 PM 8/12/2001 -0500, Marlys A Nelson wrote:
>Andreas Östling wrote:
> >
> > On Sat, 11 Aug 2001, Marlys A Nelson wrote:
> > ...
> > > Recently, the log traffic from our firewall (linux running ipchains) has
> > > been so heavy that the syslog server has been losing data.
> > ...
> > > I'm wondering how others configure their syslogging "enterprise-wide" to
> > > avoid this problem?
> >
> > I think it sounds a bit weird that the syslog server is losing data just
> > because of one host sending to much information.

Have you considered building a (very small) separate private-IP-space 
network for log traffic, and/or making sure that the source and destination 
hosts are all on switched ports? It sounds like your limiting factor is 
network bandwidth, not disk or processor or RAM.

Have others done this? My interest is partly performance-oriented, partly 
security-oriented - I'm a little wary of using crypto-based access control 
approaches to logging, because of the potential than an attacker (or an 
error) might be able to swamp the related processors with lots of data 
needing to be encrypted and signed, leading to a logging DOS due to 
processor load.

> > If you mean you're running standard Linux syslogd on the syslog server, I
> > think you should really try something else.
>
>I am running standard syslogd.  The syslog server is running Red Hat 7.0
>and is dedicated to the syslog function.  It's a PIII 450 w/ 256Mb of
>RAM, 3 SCSI disks - 1 for the OS, the other 2 in a software RAID stripe
>0 for the logs.  A ps shows that the syslogd is taking up about 10% of
>the CPU fairly consistently.

Do list members have information about the level of security one can expect 
from syslog-ng? I spent awhile reading its online manuals yesterday, and 
was favorably impressed, but noted that it's not included in OpenBSD's 
/usr/ports, which made me think the OpenBSD folks haven't taken a look at 
it yet for buffer overflows or temp file problems or [...], and wondered if 
anyone else has. I did notice that syslog-ng prior to version 1.4.9 was 
vulnerable to a remote DOS attack when presented with unexpected-format log 
entries.


--
Greg Broiles
gbroilesat_private
"We have found and closed the thing you watch us with." -- New Delhi street kids


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

• Next message: Brian Hatch: "[loganalysis] Full vs partial pattern matches"
• Previous message: Ron Russell: "[loganalysis] Re: Central syslog server best practices?"
• In reply to: Marlys A Nelson: "Re: Central syslog server best practices?"
• Next in thread: Nate Campi: "Re: [loganalysis] Re: Central syslog server best practices?"
• Next in thread: Matthew Jonkman: "Re: Central syslog server best practices?"
• Reply: Nate Campi: "Re: [loganalysis] Re: Central syslog server best practices?"
• Reply: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
• Reply: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:06:40 PDT