Stefan Neufeind <stefan@neufeind.net> wrote:
> what is the best way to remotely syslog? In
Use a dedicated machine. Cut the 'transmit' pair in the CAT5 cable.
syslog is UDP, which is only one-way, so it doesn't need to transmit.
Obviously you'll have no remote access to the syslog server, but neither
will an attacker.
Or, print each syslog message as it's received. Your attacker will have
to work the printer hard enough to set it on fire to destroy your logs.
http://www.techimo.com/photo/showphoto.php?photo=3067
> I make it secure that there can't exist any log-entries somebody
> "faked" into our remote-syslog-file?
You can't really authenticate a syslog entry, they carry no
authentication information. Try this:
logger -p kern.crit Kernel panic\!
You'll just have to work out somehow which messages are real and which
are fake.
--
Sam "Eddie" Couter | mailto:sam@couter.dropbear.id.au
Debian Developer | mailto:eddie@debian.org
| jabber:sam@teknohaus.dyndns.org
OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
Attachment:
pgpnWclRrMYoJ.pgp
Description: PGP signature