On Thu, 12 Dec 2013, Rainer Gerhards wrote:
On Thu, Dec 12, 2013 at 9:14 AM, Radu Gheorghe <[email protected]>wrote:
Hi Luca,
Maybe create a "whitelist"
array<http://www.rsyslog.com/filter-optimization-with-arrays/>of
allowed senders and then drop the messages? Or maybe do that from the
firewall (although one from the firewall's whitelist could easily spoof the
hostname variable).
actually, the best cure is TLS-proteced syslog with mutual authentication.
Of course I know that nobody wants to do that ;)
Even that won't protect you from malicious log content being generated by one of
the trusted machines.
hostname and timestamp are provided by the remote machine and they can only be
trusted as far as you trust those machines.
Rsyslog has options to prevent .. from being part of the resulting path that's
created, but it's a very common problem to have 'strange' things show up in the
hostname field and if you use it for a path you are accepting this.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
