Re: [loganalysis] Re: Central syslog server best practices?

From: Mordechai T. Abzug (mortyat_private)
Date: Wed Aug 15 2001 - 15:39:32 PDT

  • Next message: Brian Hatch: "Re: [loganalysis] Logging standards and such"

    On Tue, Aug 14, 2001 at 09:29:53PM -0700, 'Nate Campi' wrote:
    
    > I still like the idea of protecting the log stream with encryption,
    > but this needs to be built into the syslog daemon, or done without
    > using a shell account on *either* end of the connection, IMHO. Hell,
    > doesn't the Windoze "cryptcat" utility do that already for arbitrary
    > network data?
    
    "cryptcat" (available for both *nix and *doze) encrypts, but doesn't
    authenticate.  It's also non-transparent.  The problem with a
    non-transparent external encryption tunnelling program is that your
    syslog daemon won't see your original IP, it will see its local IP.
    
    "stunnel" (available for *nix and *doze) will encrypt arbitrary TCP
    data via SSL.  And since it's SSL, you have all sort of options on how
    to handle trust and authentication on both ends.  In theory, it should
    work with any TCP logger (ie. syslog-ng), but not for UDP.  stunnel
    supports transparency, but only on some OSs.
    
    Good VPN software can usually be configured to handle authentication,
    avoid trust, encrypt both TCP and UDP, and be transparent.  It's also
    usually a PITA to configure.
    
    Of course, the problem with any encryption is that it will chew up CPU
    during an event storm, which is often when you most need your CPU for
    other stuff.
    
    - Morty
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 16:05:06 PDT