Re: [logs] How are people bringing DMZ syslog msgs into the central server?

From: Harry Hoffman (
Date: Mon Jan 20 2003 - 15:07:09 PST

  • Next message: Paul D. Robertson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"

    Hi Mikael,
      I'm not sure what you mean by heaps of functionality but it really isn't that
    difficult. The use of stunnel is more for protecting the data while in transport
    rather than from an attacker on the machine.
    I don't really like the idea of passing all of the logs from one point of the
    DMZ to another for everyone to see. Should only a single box within the DMZ get
    cracked than the attacker cannot simply sniff the traffic to determine
    information from the logs.
    Lots of times simply watching logs fly by will give enough information for a
    very pointed attack. That's the last thing I want to have happen. And I'm more
    than willing to pay for it in overhead of crypto.
    Quoting Mikael Olsson <mikael.olssonat_private>:
    *> Harry Hoffman wrote:
    *> >
    *> > Hi Jason,
    *> >   We are using syslog-ng and stunnel to accomplish this.
    *> > We pump everything from the client over a secure tunnel
    *> > into our syslog server.
    *> This is from your dmz to your internal network?
    *> stunnel?
    *> Talk about exposing heaps of functionality.
    *> You've gone from exposing a couple of hundred lines of simple message
    *> processing to hundreds of _thousands_ of lines of crypto code.
    *> Unless you have a very compelling reason for attempting to protect
    *> the boxes in the dmz from tampering with eachother's log streams
    *> (because stunnel certainly doesn't prevent an intruder on Box A
    *> from tampering with the stream from Box A, or from attacking the
    *> message processing layer on the inside log receiver), I'd remove
    *> stunnel and just go with plain tranport.
    *> --
    *> Mikael Olsson, Clavister AB
    *> Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    *> Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    *> Fax: +46 (0)660 122 50       WWW:
    Harry Hoffman
    ITSS Systems Team Leader
    University of Auckland
    *This universe shipped by weight, not volume.*
    *Some expansion may have occured in shipping.*
    This mail sent through IMP:
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 15:27:32 PST