Re: [loganalysis] Re: Central syslog server best practices?

From: Matthew Collins (pinguat_private)
Date: Fri Aug 17 2001 - 05:02:02 PDT

Next message: arkat_private: "Re: [loganalysis] Central Syslog Server, Actual Best Choice ?"

Previous message: Andrew Stribblehill: "Re: [loganalysis] determining faciliy.level (was Logging standards and such)"
In reply to: Jeff King: "RE: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Jeff King: "Re: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
Reply: Jeff King: "Re: [loganalysis] Re: Central syslog server best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 15, 2001 at 10:58:45PM -0400, Jeff King wrote:
> 
> You can do this fairly easy with OpenSSH by specifying in your
> authorized_keys file:
> 
> from="my.host",command="/usr/bin/cat >>/var/log/my.host.log",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss YOUR_KEY_GOES_HERE
> 
> Although as an additional measure, I would suggest that each logging client
> get its own unix UID on the server, in case a flaw in SSH (or cat) is found
> wherein a client can break out of this sandbox. In that case, at the very
> worst you have allowed an attacker to erase logs for the compromised machine.

While an interesting idea I think thats probably a fundamentally flawed
concept - certainly in my enterprise environment administering it would
be a huge pain.

If you insist on using ssh for your authentication/crypto layer a
more useful approach is probably to use strict host key checking on
both ends to do your host authentication and have the syslog backend
prefix the message with the authenticating hosts details, such that
forgery is impossible (the host does not supply the identification
details for the message) for the end host and transit privacy
is assured.

This has the advantage of integrating seamlessly into environments
which have already constructed large scale host key list generation
mechanisms without requiring manual intervention on the password file,
etc.

Perhaps something like allowing RSA based shosts authentication for
a "syslog" user which doesnt have a usable shell, but rather spawns
the "write" part of your syslog replacement.

Personally, the approach we've used is tcp based syslog for reliability
over encryption with stunnel. I know folks who have done it using
zebedee and other tunneling software as well.

Of course, I could be completely wrong ;) I often am ;)

Matt

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: arkat_private: "Re: [loganalysis] Central Syslog Server, Actual Best Choice ?"
Previous message: Andrew Stribblehill: "Re: [loganalysis] determining faciliy.level (was Logging standards and such)"
In reply to: Jeff King: "RE: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Jeff King: "Re: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
Reply: Jeff King: "Re: [loganalysis] Re: Central syslog server best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 08:34:51 PDT