Re: [logs] How are people bringing DMZ syslog msgs into the central server?

From: Mikael Olsson (mikael.olssonat_private)
Date: Mon Jan 20 2003 - 11:08:22 PST

  • Next message: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"

    Jason Haar wrote:
    > What with the desire for real-time alerts, how are people bringing those
    > logs in?
    > Typically it's not considered a good idea to allow arbitrary incoming UDP
    > packets from a DMZ to a LAN, similarly, people don't feel happy putting the
    > central syslog server out in the DMZ, so how do you put those two limiting
    > factors together?
    I'd say that the most secure solution is to allow the DMZ boxes to 
    send the log data straight to the log collector.
    At least, it SHOULD be.
    Unfortunately, this isn't as straightforward an assumption as it 
    one would think it to be.
    - Two recent syslog-ng snafus:
    - Syslog as well as syslog-ng crashes when an output file exceeds the
      2GB file size limit.  Sending 2GB of "harmless" events takes less than
      five minutes over 100Mbps ethernet.  After this, the log receiver (and 
      hence the alerting facility) is disabled, and will no longer react to 
      "evil" events.  Oops.
    However, I'd argue that doing rsync/scp/whatever exposes _more_ 
    functionality than just opening 514/udp, even if such sessions
    are only periodically initiated from the inside.
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW:
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 14:26:33 PST