RE: [logs] reinventing syslog [was: Secure Central Log Host]

From: Ogle Ron (Rennes) (ron.ogleat_private)
Date: Fri Dec 06 2002 - 04:07:16 PST

  • Next message: Rainer Gerhards: "RE: [logs] reinventing syslog [was: Secure Central Log Host]"

    Having correct time is a paramount consideration for a secure logging
    solution.  One solution that is not very expensive is to use a GPS receiver
    connected to a PC to get the time.  GPS time is pretty darn close to the
    atomic clocks, but that doesn't really matter anyway.  What does matter is
    that all of your systems are on the same time.
    
    The problem that we find working in a world wide environment is that syslog
    only processes logs in local time.  So even though the system is getting its
    time from a GMT time source, the syslog "corrects" the log output to GMT +
    timezone.  So when we collect these logs from around the world, we have to
    correct the log entries back to GMT time.  We've also experimented with
    moving all of the machines to GMT time.  The local admins don't like that
    option though.
    
    If you don't want to open your firewall, then create at least 2 PC/GPS
    systems and deploy hopefully in different locations.  Then configure your
    clients to point to both servers.  The NTPv4 protocol does a very good job
    on not only keeping systems on time but also you can use authentication to
    make sure that your clients are only getting time updates from authorized
    servers.
    
    Another solution is to "proxy" NTP through the firewall using maybe some
    existing servers such as your DNS forwarding or SMTP servers.  These
    machines should be very well locked down and NTP shouldn't add any
    additional risk to those machines.  Hopefully, you have at least two
    machines on different networks geographically separated.  Then on the
    inside, point a few internal systems to these "proxies".  These internal
    machines will then become your internal time syncs that the other machines
    will use.  I would suggest that you also use a NTPv4 external clock that
    provides authentication to prevent hackers from playing with your time.
    
    To use NTP configuration for a system is right next to DNS configuration in
    importance and order for bringing a machine on-line.
    
    My .02 Euro (now worth less than .02 USD)
    Ron Ogle
    Rennes, France
    
    > -----Original Message-----
    > From: tevfik [mailto:tevfikat_private]
    > Sent: Thursday, December 05, 2002 3:34 AM
    > To: loganalysisat_private
    > Subject: Re: [logs] reinventing syslog [was: Secure Central Log Host]
    > 
    > 
    > > On Wed, 2002-12-04 at 14:00, Tevfik Karagulle wrote:
    > > >
    > > > Wouldn't it be enough to configure your central log host 
    > as an NTP server
    > > > for machines generating syslogs or other logs ?
    > > 
    > > Sometimes you cannot do that; think, for example, of the 
    > cases when you
    > > need to "poke yet another hole" through some firewall to allow a 
    > > host to send syslog datagrams to the logging server. In that case, 
    > > poking two holes (syslog and NTP) instead of one (syslog) 
    > might make 
    > > a big difference.
    > > (If you don't believe one more protocol poked through the firewall 
    > > can be the cause for a major fuss, go ask the closest security 
    > > analyst :-P)
    > > 
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Dec 06 2002 - 10:32:34 PST