loggint through syslog

Ryan Malayter malayter at gmail.com
Fri Dec 18 08:33:31 MSK 2009

On Thursday, December 17, 2009, merlin corey <merlincorey at dc949.org> wrote:
> If you want to wear that security blanket, go ahead.
> If you are worried about the integrity of your logfiles, you should
> implement some kind of integrity checking on every important point.
> This means that even if you do push things over your favorite secure
> protocol to another system you'll want to do some kind of integrity
> checking there because someone could break in and tamper with the data
> on the "secure" system.

Exploiting nginx or a web app gives you access to the system where the
logs are if they are on  disk. It is not easy to get from there to a
completely separate syslog server that is hardened. Yes, you can send
fake data to the syslog server, but you cannot erase evidence of your
attack without breaking into it as well. WORM media can be used on the
log sever. Defense in depth.

> Security folks know that everything breaks, so they plan for and
> monitor breakages.

Yes, and one of those checks is "how can I trust my log files to
provide evidence of attack so I can fix things, comply with
regulations, and help law enforcement catch the bastards". Having your
only logs on the system with the largest attack surface, the web
server, is not a good idea.

> What's the plan for when the syslog server goes down?  No logs at all then?

Standard practice is to send logs to multiple log servers, via unicast
or multicast. Or at least send them to local disk and syslog so you
can compare. PCI, HIPPA, SOX, and many other regulations have
requirements  for log retention and authentication.

Are you being serious here, or just contrarian?


More information about the nginx mailing list