[Dshield] Opinions on Central Logging Systems

Stephane Grobety security at admin.fulgan.com
Mon Oct 14 21:14:53 GMT 2002


TC> Since it seems to be a slow morning, I would like to throw out a thought
TC> for general discussion.......

TC> I am currently considering several systems for central logging of
TC> alerts, log files, and other security events.  Does anybody out there
TC> have any thoughts or opinions, good or bad, they would care to share.

Well, I personally like the syslog protocol for all "non-critical"
logging. It's easy to setup, can be routed easily and it's so simple
to use that almost every tool under the sun understands it.

It has two flaw, though: First, it's UDP and, as such, can be flooded
and is difficult to verify. The second problem is that it's almost
impossible to secure as such.

An alternative is to use SSL to tunnel and relay syslog messages. If
you use client certs, then you can add authentication and security (at
the cost of performances).

Good luck,
Stephane




More information about the list mailing list