LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Journal - a proposed syslog replacement

The Journal - a proposed syslog replacement

Posted Nov 18, 2011 17:37 UTC (Fri) by quotemstr (subscriber, #45331)
Parent article: The Journal - a proposed syslog replacement

Why not just send syslog entries to another machine where they can't be changed? Or use the classic approach of sending syslog entries to a line printer, where an attacker clearly can't get at the old entries.

Let's favor low-tech solutions over high-tech crypto-heavy ones here.

(Log in to post comments)

The Journal - a proposed syslog replacement

Posted Nov 19, 2011 1:03 UTC (Sat) by Wol (guest, #4433) [Link]

The problem with a line printer is simple, and it's the same as a simple text logfile.

If your system is spewing log entries, the "signal" - warning signs of a hack - get lost in the noise.

At least with a logfile you can grep for trouble (although really you want to do the opposite, anti-grep for stuff you know about).

But whatever you do it's a tricky problem, although I would tend to agree with another poster - just add a signed hash field to the current text format.

Cheers,
Wol

The Journal - a proposed syslog replacement

Posted Nov 19, 2011 8:35 UTC (Sat) by PO8 (guest, #41661) [Link]

The Journal seems to require magic storage HW for the current hash. Why not just write the whole log file there? It really isn't hard in 2011 to hook a microcontroller with an SD card slot and a USB port to the host. Add some software and you've got a cheap secure append-only store that can hold 16GB. You could put a reset switch on the package so that if you were to fill it up (hing: you won't) you could clear it and start over.

You get to keep your logs as textfiles, you can search the secure copy, almost no software has to change. Seems like The Journal done right to me.

The Journal - a proposed syslog replacement

Posted Nov 23, 2011 21:50 UTC (Wed) by jd (guest, #26381) [Link]

If the syslog files are in a fully logging filesystem, every version is retained, allowing you to recover the missing data without needing any specialist anythings.

The Journal - a proposed syslog replacement

Posted Nov 23, 2011 23:34 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]

even with today's disk sizes, nobody runs a fully logging filesystem. The inability to overwrite data will fill any disk up very quickly.

a 'logging filesystem' will give you a few older versions, depending on settings, but hardly every older version.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds