On 09/16/2011 04:46 PM, Bucci, David G wrote:
J. Bern - just curious - is syslogging over stunnel less stable for some reason, or does it exacerbate the reliability problem mentoned in the manpage? Iow, if you're satisfied with your syslog processing today, will layering in stunnel make anything worse?
Neither RELP nor gssapi auth provide encryption for syslog traffic, iirc ... if you're truly worried about snooping on syslog traffic, not sure how they would help. Seems to me they're orthogonal issues. No?
Reliability, authentication, secrecy, nonrepudiation, etc. certainly are "orthogonal" in that one doesn't replace the other. Nonetheless, they all are part of IT security and whenever someone says the magic words "we need to secure that", I fully expect *all* these parts to surface in the ensuing project. :-}
Case in point: If your logging warrants encryption to prevent an intruder from reading any messages flying by at random (as opposed to just having a policy that says "all traffic, even if only internal, needs to be encrypted"), it's very likely that the same intruder keeping some of these messages from getting to you (attack on reliability) would be just as bad.
Having that said: I've never run syslog over stunnel and don't know of any issues in doing so beyond the obvious ones (increased connection setup time, possibility of unnoticed cert expiry, etc.). I'm merely following the principle that if you can get a subsystem with the desired functionality already built in, it's likely to have less problems (technical as well as design) than trying to cobble things together yourself - and the arena of remote logging protocols has seen *a lot* of evolution to take your pick from.
(That is, at least as far as multipurpose computers are concerned. Office grade switches and routers *still* tend to max out at the stone age UDP-based non-sequence-numbered syslog protocol, for crying out loud. >:-C )
Kind regards, J. Bern