On Thursday, April 3, 2003, at 12:11 PM, Michael Boman wrote: > On Fri, Mar 28, 2003 at 10:29:03AM -0500, Blaise St-Laurent wrote: >> On Tuesday, March 25, 2003, at 10:52 PM, Michael Boman wrote: >> >>> Hi all, >>> >>> I am looking for a syslog (the old, udp one) software that makes sure >>> that >>> the integrity of the logs has not been modified since they was >>> recived. I >>> have looked at mSyslog, but the problem with that one is that I find >>> it >>> unstable and it totally locks up if one of the output modules doesn't >>> work (we want the logs in a database for ease of searching as well >>> as >>> normal file for long-time storage). Syslog-ng seems to do what we >>> want >>> for the database part, but how about making sure that the logfiles >>> was >>> not subsequently changed after they were recived? >>> >> >> I think you might want to look into msyslog (http://msyslog.sf.net) It >> allows for signing of logs as they come in, using a key on the local >> machine. > > As my initial email stated, quoted above, I have already tried mSyslog > and > I didn't find it stable enought hence I am looking a replacement > software. oops my bad. > >> I'm in the process of figuring out how to configure syslog-ng to pass >> the syslog entries through openssl to sign the lines before they are >> written to disk. Watch the mailing list for more information. > > I will watch this with great intrest. > the more i think about it though, the less i think that database + tamper resistance is going to be an syslog issue. If you want to sign or at least put a checksum against every line that goes into your db, the best way i could think of doing this is to write a trigger on insert that calculates the checksum based on the values you supply (time, server, msg etc..) and adds it to the appropriate column. I'm not sure of the crypto support in any of the major DBs though i do know mysql and postgres have md5 functions. would this + the mysql pipe method of entering logfiles into the Db work for you? the reason i ask is because i'm working towards signing the log and then writing it to a txt file, not a database. > Best regards > Michael Boman > > -- > Michael Boman > Security Architect, SecureCiRT Pte Ltd > http://www.securecirt.com > <mime-attachment> Blaise St-Laurent Senior Security Architect 613-266-4258 ____________________________________________________________________ Okiok Data http://www.okiok.com (450) 681-1681 Solutions de sécurité d'entreprise et d'affaires électroniques Enterprise and e-business security solutions This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and erase this e-mail message immediately. Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. Si ce message vous a été transmis par erreur, veuillez en informer l'expéditeur et le supprimer immédiatement. _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 13:34:32 PST