MonitorWare Knowledge Base

Correct me if I'm wrong but given this setup:
1. Rsyslog server setup to receive RELP from other machines, and save the logs from each remote host to a unique log file
2. A rsyslog server with hostname of test1 set up to forward syslog messages to the RELP receiver

Another server could (either for malicious or misconfiguration reasons) set its hostname to test1 and corrupt the integrity of the 'test1' log.

In terms of solving it, I can think of 3 options but I don't know enough to answer them. Perhaps someone else can:
1. Since I had heard rsyslog supports Kerberos, I thought about using that. However, since it's an output module, I don't think you could combine RELP + GSSAPI. Is there a way to combine them?

2. Another idea would be to use a Certificate Authority / TLS setup. I can't tell for sure, but it looks like TLS is only for TCPServer and not Relp. Again, can anyone confirm this?

3. We've deployed IPSec on all the machines communicating with the central server. Thus I can guarantee that the IP the syslog server is talking to is truely the machine it expects. Perhaps I could use a rule to ignore packets for hostnames that don't match IPs.

Mostly I'm just looking for comments and discussion because I may be completely wrong. Any comments/discussion welcome.

Thanks.

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

I think your conclusion is correct. RELP will at some time support TLS, but that is in the future. So right now you need to find your way along option 3), which I think is a usable work-around.