This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."
Download it now to read this article plus other related content.
Syslog has some important limitations. First, there is no validation. Any system that sends properly formatted syslog messages to the server will be processed and received. An attacker could spoof messages to the syslog server to provide false information. For example, an attacker could report a phony attack to divert your resources away from his real effort.
In addition, since syslog uses UDP, it provides no guarantee of delivery. Therefore, if a system-flooding DoS attack is launched against the syslog server, legitimate messages will be dropped.
An enhanced version, syslog-ng, is based on TCP with authentication. By default, TCP provides guaranteed delivery. Because there is a session setup and tear down, additional information can be exchanged to validate the authenticity of the information and the host that is generating it by adding support through other protocols like IPsec.
Syslog-ng also provides built-in log rotation. Syslog typically loses some messages while the daemon is stopped and restarted as the logs are being rotated out. The challenge is to rotate logs out to archive for compliance, legal evidence and future investigations without losing messages. Syslog-ng will automatically archive files to a designated location.
In addition, while syslog provides basic logging information, it sometimes creates problems when forwarding log messages or providing details of what is happening across a wide range of systems.
Syslog-ng is available for most devices and is usually obtained by the vendor. However, since some devices don't support it yet, you can configure your syslog-ng server to support both legacy syslog devices and the newer format.
This was first published in January 2007