From owner-freebsd-security  Mon Jan 11 07:58:53 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA21827
          for freebsd-security-outgoing; Mon, 11 Jan 1999 07:58:53 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA21818
          for <freebsd-security@FreeBSD.ORG>; Mon, 11 Jan 1999 07:58:41 -0800 (PST)
          (envelope-from ark@eltex.ru)
From: ark@eltex.ru
Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged))
	by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id SAA02294; Mon, 11 Jan 1999 18:58:04 +0300 (MSK)
Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2])
	by eltex.ru (8.8.8/8.8.8) with SMTP id SAA04034; Mon, 11 Jan 1999 18:58:09 +0300 (MSK)
Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Mon, 11 Jan 1999 18:58:02 +0300
Received: from undisclosed-intranet-sender id xma001363; Mon, 11 Jan 99 18:57:43 +0300
Date: Mon, 11 Jan 1999 18:56:36 +0300
Message-Id: <199901111556.SAA12215@paranoid.eltex.spb.ru>
In-Reply-To: <19990106095543.B28727@tversu.ru> from "Vadim Kolontsov <vadim@tversu.ru>"
Organization: "Klingon Imperial Intelligence Service"
Subject: Re: kernel/syslogd hack
To: vadim@tversu.ru
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

Yep, realtime is a problem (and always will be a problem if we use UDP).
nsyslogd can use TCP at least to ensure no data were lost.

Vadim Kolontsov <vadim@tversu.ru> said :

> > >    Of course this patch doesn't solve problem with syslog/514 UDP. I
> > >    know it
> > 
> > Have you looked at ssyslog from the guys in Brazil ? It takes the opposite
> > approach by making the trusted machine download in a secure way the logs
> > from each machine.
> 
>   Yes, I tried it. It tries to make network transfer secure, but does
> nothing for local logs (gathered via UNIX domain socket).
> 
>   And their solution isn't best for real-time analyzing: it doesn't send
> logs string by string (or at least nK-buffer by buffer). You can, of course,
> configure it to download logs to log server every 2 minutes, and analyze them
> then..
>   And it deletes local logs after uploading to log server :) (this behaviour
> can be changed, probably)
> 
>   But I think that ssyslog is good thing, anyway :)
> 
> Regards,
> V.
> 
> P.S. I'm amazed - it seems that nobody (except ssyslogd and nsyslog people)
> is working on more reliable/secure syslog replacement.. may be because
> the whole protocol should be changed..
 

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNpofM6H/mIJW9LeBAQFZNQP/QlxpfcW2zq7zggy5kHyRJ9LmMJtgZL9D
Dx3zis40UU6Gy9tm4LJsRTbFMnjA9VrZDR07TGdsp4UO63VmoFJoX7uuABVzj+66
shfsPOcfKT9JngyUkuwCqhknfQDdGS2cjxI5b1vrdtBrlel4WK34dFKzZOc0974X
gyowFIpz4zo=
=Iz8L
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message