From owner-freebsd-security  Tue Jan  5 23:32:02 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA00311
          for freebsd-security-outgoing; Tue, 5 Jan 1999 23:32:02 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from tversu.ru (mail.tversu.ru [62.76.80.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA00277
          for <freebsd-security@FreeBSD.ORG>; Tue, 5 Jan 1999 23:31:47 -0800 (PST)
          (envelope-from vadim@gala.tversu.ru)
Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10])
	by tversu.ru (8.8.8/8.8.8) with ESMTP id JAA18524
	for <freebsd-security@FreeBSD.ORG>; Wed, 6 Jan 1999 09:53:44 +0300 (MSK)
Received: (from vadim@localhost)
	by gala.tversu.ru (8.8.8/8.8.8) id JAA28762
	for freebsd-security@FreeBSD.ORG; Wed, 6 Jan 1999 09:55:43 +0300 (MSK)
Date: Wed, 6 Jan 1999 09:55:43 +0300
From: Vadim Kolontsov <vadim@tversu.ru>
To: freebsd-security@FreeBSD.ORG
Subject: Re: kernel/syslogd hack
Message-ID: <19990106095543.B28727@tversu.ru>
References: <19990106002135.A27566@tversu.ru> <19990106015115.A44707@keltia.freenix.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.94.15i
In-Reply-To: <19990106015115.A44707@keltia.freenix.fr>; from Ollivier Robert on Wed, Jan 06, 1999 at 01:51:15AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

On Wed, Jan 06, 1999 at 01:51:15AM +0100, Ollivier Robert wrote:

> >    Of course this patch doesn't solve problem with syslog/514 UDP. I
> >    know it
> 
> Have you looked at ssyslog from the guys in Brazil ? It takes the opposite
> approach by making the trusted machine download in a secure way the logs
> from each machine.

  Yes, I tried it. It tries to make network transfer secure, but does
nothing for local logs (gathered via UNIX domain socket).

  And their solution isn't best for real-time analyzing: it doesn't send
logs string by string (or at least nK-buffer by buffer). You can, of course,
configure it to download logs to log server every 2 minutes, and analyze them
then..
  And it deletes local logs after uploading to log server :) (this behaviour
can be changed, probably)

  But I think that ssyslog is good thing, anyway :)

Regards,
V.

P.S. I'm amazed - it seems that nobody (except ssyslogd and nsyslog people)
is working on more reliable/secure syslog replacement.. may be because
the whole protocol should be changed..
-- 
Vadim Kolontsov
Tver Internet Center NOC

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message