[loganalysis] Re: Central syslog server best practices?

From: Greg Broiles (gbroilesat_private)
Date: Mon Aug 13 2001 - 10:55:30 PDT

  • Next message: Brian Hatch: "[loganalysis] Full vs partial pattern matches"

    At 05:36 PM 8/12/2001 -0500, Marlys A Nelson wrote:
    >Andreas Östling wrote:
    > >
    > > On Sat, 11 Aug 2001, Marlys A Nelson wrote:
    > > ...
    > > > Recently, the log traffic from our firewall (linux running ipchains) has
    > > > been so heavy that the syslog server has been losing data.
    > > ...
    > > > I'm wondering how others configure their syslogging "enterprise-wide" to
    > > > avoid this problem?
    > >
    > > I think it sounds a bit weird that the syslog server is losing data just
    > > because of one host sending to much information.
    
    Have you considered building a (very small) separate private-IP-space 
    network for log traffic, and/or making sure that the source and destination 
    hosts are all on switched ports? It sounds like your limiting factor is 
    network bandwidth, not disk or processor or RAM.
    
    Have others done this? My interest is partly performance-oriented, partly 
    security-oriented - I'm a little wary of using crypto-based access control 
    approaches to logging, because of the potential than an attacker (or an 
    error) might be able to swamp the related processors with lots of data 
    needing to be encrypted and signed, leading to a logging DOS due to 
    processor load.
    
    > > If you mean you're running standard Linux syslogd on the syslog server, I
    > > think you should really try something else.
    >
    >I am running standard syslogd.  The syslog server is running Red Hat 7.0
    >and is dedicated to the syslog function.  It's a PIII 450 w/ 256Mb of
    >RAM, 3 SCSI disks - 1 for the OS, the other 2 in a software RAID stripe
    >0 for the logs.  A ps shows that the syslogd is taking up about 10% of
    >the CPU fairly consistently.
    
    Do list members have information about the level of security one can expect 
    from syslog-ng? I spent awhile reading its online manuals yesterday, and 
    was favorably impressed, but noted that it's not included in OpenBSD's 
    /usr/ports, which made me think the OpenBSD folks haven't taken a look at 
    it yet for buffer overflows or temp file problems or [...], and wondered if 
    anyone else has. I did notice that syslog-ng prior to version 1.4.9 was 
    vulnerable to a remote DOS attack when presented with unexpected-format log 
    entries.
    
    
    --
    Greg Broiles
    gbroilesat_private
    "We have found and closed the thing you watch us with." -- New Delhi street kids
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:06:40 PDT