Thank you for your valuable feedback. I will go with a pair of rsyslog servers.
Just for a bit of clarification. The logs won't go on the internet, from the dmz they will flow to the enterprise central log server which is not connected to the internet. The specific here is that from the point of view of one application the rest of the internal company is seen as "outside" thus the dmz requirement. I fully agree that back-end servers shouldn't talk directly to the internet but I fail to see a threat coming from a central local rsyslog to the client. The other way I can imagine. Anyway, we need to comply with the standard Philippe -----Message d'origine----- De : [email protected] [mailto:[email protected]] De la part de David Lang Envoyé : mercredi 27 janvier 2016 12:05 À : rsyslog-users Objet : Re: [rsyslog] Forwarding logs through a proxy. the best proxy for the syslog protocol is a syslog server of some sort. If you want to use an existing proxy, the question is what protocols does it support? I agree that it's a good idea to route all traffic through a proxy pair before leaving the location for another location. I would use a pair of rsyslog servers because that would let you put a good disk cache on them to survive network outages, use RELP for that low-reliability hop while not needing to use it internally, and only have one pair of systems to monitor to keep track of what the state of outbound stuff is. Even if your proxy can be made to pass syslog traffic, unless it's a syslog server itself, it's not going to understand the protocol, and you would have to duplicate the special config to be reliable in talking to the distant servers on every sender, along with monitoring the status of every sender. plus it's just plain bad practice to have back-end servers talking directly to Internet resources. If there is a bug that lets a bad guy compromise your systems through this communication, you want them to only get onto your DMZ. It gives you a chance to catch them before they make it further into your network. David Lang On Wed, 27 Jan 2016, Maupertuis Philippe wrote: > Hi, > Following a recent audit, I have a requirement that all outwards connections > should be proxified. > This requirement apply to syslog as well. > No connection between the internal secure zone of the application and > anything else can be made without a proxy in the dmz. > This requirement apply to syslog as well. > I could set up a rsyslog intermediate relay in the dmz to fulfil this > requirement, that means two additional servers to maintain (for redundancy). > Where it possible, I would prefer to use the proxy already in place to > forward the rsyslog messages from the application central log server > to the enterprise central log server. > > I would welcome any suggestion regarding this setup. > Regards > Philippe > > > > ________________________________ > > Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage > exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret > professionnel. Si vous recevez ce message par erreur, merci d'en avertir > imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne > pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra > ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs > efforts soient faits pour maintenir cette transmission exempte de tout virus, > l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne > saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis. > > This e-mail and the documents attached are confidential and intended solely > for the addressee; it may also be privileged. If you receive this e-mail in > error, please notify the sender immediately and destroy it. As its integrity > cannot be secured on the Internet, the Worldline liability cannot be > triggered for the message content. Although the sender endeavours to maintain > a computer virus-free network, the sender does not warrant that this > transmission is virus-free and will not be liable for any damages resulting > from any virus transmitted. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
