I'm interested in finding even a partial solution that can work with the existing population of UNIX syslog daemons. I have been most concerned about authentication of log reports, and scenarios in which an attacker interested in a particular device is able to "chaff" the event logging system with bogus reports that claim to be from other devices on the network. I'm considering adding an optional authentication field to the syslog message that's an MD5 hash of the message and a secret shared between log client and log server, making it possible to filter the log for device level authentication. Because there may be log messages with identical content there should be a nonce present in the message text. I suggest that this nonce be the value of the preceding log message from this client -- which should make it possible to independently serialize the stream from this client, without reference to timestamps at the server, and to detect missing or bogus log reports. This does of course add to the message size. Alex Brown
Living with today's syslog (sorry for garbled prior msg...)
by way of "Chris M. Lonvick" <[EMAIL PROTECTED]> Mon, 10 Apr 2000 10:08:10 -0700
