| |||||||||||||
The Journal - a proposed syslog replacementThe Journal - a proposed syslog replacementPosted Nov 20, 2011 14:41 UTC (Sun) by jamesh (guest, #1159)In reply to: The Journal - a proposed syslog replacement by jmorris42 Parent article: The Journal - a proposed syslog replacement
If you're talking about the traditional method of sending log messages as simple UDP packets, it might stop an attacker from altering historic logs on the system that generated the logs, but it has its own problems.
Log messages can get lost and since there is no authentication, log messages can be forged. And if the attacker manages to break into the log aggregation server, then you've got the same problems as before.
(Log in to post comments)
The Journal - a proposed syslog replacement Posted Nov 20, 2011 20:48 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link]
as soon as you allow machines to send messages over the network it is going to be possible for messages to be forged. the receiving machine has no way of knowing what is happening inside the sending machine and if the data it is getting is correct or not.
This is not entirely true... Posted Nov 20, 2011 20:52 UTC (Sun) by khim (subscriber, #9252) [Link] Actually it's exactly the same as with local logging: of correct authentification scheme is used (i.e.: not syslog's UDP) then they can only be forged after takeover. The messages right before takeover are the most valuable. Sure, you must understand that some messages are are probably forged and some are not, but this is always the case when forensic analisys is done.
|
|||||||||||||