Sanjay Arora wrote:
I wish to enable logging of events onto a syslog server on the LAN
segment. Can somebody tell me about the security & operational issues
involved?
e.g.
- Do I introduce any security vulnerability in selecting logging on to a
remote syslog server? on the LAN segment?
- What security precautions should be taken? Should the syslog server be
firewalled individually? For that matter, should the servers on the LAN
segment be firewalled individually? Any Pointers to further reading on
this issue?
search the web for syslog security
- What happens if the network link to the syslog server is interrupted
for some time? Any way of implementing dual logging i.e. on pf-sense
machine and the syslog server? Any pointers to existing implementations?
Or maybe any backend software that imports pfsense logs on to a database
for further processing in realtime or near realtime?
If the link to the remote syslog is interrupted, you'll get much
messages like this:
...
Nov 10 02:01:56 last message repeated 10 times
Nov 10 02:01:25 syslogd: sendto: Host is down
...
the internal syslog still continue to work
afaik the syslog in pfSense is a rolling log,
so publishing the logs via a remote syslogserver will be the best
Any other pointers or comments on various issues involved.
With best regards.
Sanjay.
greets,
marcus
