From owner-freebsd-security Sat Dec 6 08:01:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA26782 for security-outgoing; Sat, 6 Dec 1997 08:01:30 -0800 (PST) (envelope-from owner-freebsd-security) Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA26776 for ; Sat, 6 Dec 1997 08:01:24 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from cyrus.watson.org (cyrus.pr.watson.org [192.0.2.4]) by fledge.watson.org (8.8.8/8.6.10) with SMTP id LAA23147 for ; Sat, 6 Dec 1997 11:01:16 -0500 (EST) Date: Sat, 6 Dec 1997 11:01:23 -0500 (EST) From: Robert Watson Reply-To: Robert Watson To: security@freebsd.org Subject: syslogd logging to remote hosts (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Now that I think about it, this message is better addressed to freebsd-security, as this is really largely a security issue. It occurs to me also that if you don't have a router filtering packets (or don't entirely trust the local net), another host elsewhere can spoof the rejection message from the log server (assuming my analysis of the situation is correct?) and disable your logging to the host. On the other hand, if you don't have filtering, they can just fill your logs.. :) Robert N Watson Carnegie Mellon University http://www.cmu.edu/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ ---------- Forwarded message ---------- Date: Sat, 6 Dec 1997 10:58:35 -0500 (EST) From: Robert Watson Reply-To: Robert Watson To: questions@freebsd.org Subject: syslogd logging to remote hosts When syslogd logs to a remote host, i.e., *.* @loghost.domain.stuff It sends its normal UDP syslog packets. However, if the remote server goes down for some non-trivial amount of time, the local syslogd apparently disables the delivery of syslog messages to that host. Or at least, in my case, the two hosts are on the same ethernet, and when the log server is down because it has rebooted, the client will sometimes discontinue logging to the host. It never restarts. This seems like very bad default behavior. I would rather that it send the messages and they just get lost while the log server reboots, than have it stop sending them. Without looking at the source, I'd guess there are one of two possiblities: 1. The client disables logging because the server does not respond (unlikely -- syslog is a one way thing) or 2. When the log server is booting, it responds to pings/etc before syslogd starts. When the client sends a packet to the server, it is rejected because syslogd is not listening, in which case the client udp connection (as it were) is closed, for whatever reason. I have noticed this behavior on a number of occasions. Sending the client syslogd a HUP restarts logging again, but a) this is a pain due to the number of clients, and b) I'd rather not lose log messages -- this is why I have a secure log server. Thanks, Robert N Watson Carnegie Mellon University http://www.cmu.edu/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/