SDSC Secure Syslog

Wee writes "I saw this morning that the San Diego Supercomputer Center has released Secure Syslog, a replacement for the standard Linux/UNIX syslog daemon they've been working on for some time. It adds security and performance features (modular design, highly scalable), while retaining backwards compatibility. According to their announcement, it is the first syslog implementation to target "syslog-reliable" (RFC 3195) functionality and it is the first syslog targeted at very high performance and forensically-sound auditing. It's currently under the UC's "free for non-commercial use" license, but they are looking at moving to a completely open license (BSD-style licensing was mentioned). If you have high-traffic systems and you need reliable syslogging, this might be a worth a look. Those needing syslogging over TCP/BEEP, sockets, etc as well as UDP might also want to check it out."

I smile whenever ancient Unix utils are updated

[Frothy+Walrus]

...like syslog, for instance. Very extensible, appropriately hieroglyphic configuration, arbitrary manner of operation... it had everything a successful Unix daemon needs.

Except security. Welcome to the 21st Century, syslog.

TCP/BEEP

[zephc]

FYI, this is BEEP

No, it's not Captain Pike's YES/NO beeps

TCP syslogging already available

[The+Blue+Meanie]

If you need syslogging over TCP and want a *way* more configurable system for filtering syslog destinations, including regex filtering and per-host routing, you might want to look at syslog-ng. It works great for me, and is already GPL'ed, so no waiting for a license change.

Re: HP-sUX

Now, will it compile without any changes under HP-UX?

Sure, as long as you use gcc, and not HP's unbelievably expensive supposedly "ANSI" compiler, or the dreaded brain-dead K&R compiler that comes free with HP-UX.
And as long as you remember root can't have any shell other than /sbin/sh.
And of course you understand the next maintenance pack from HP will contain a depot that will overwrite key libraries without warning and break the thing completely.
In short, it works just as well on HP-UX as anything else does.
Feel my pain. I admin many large HP-UX machines.

Buzzwords galore!

[stratjakt]

Modular!

Scalable!

Backwards compatible!

Linux!

RFC 3195 functionality!

high performance!

forensically-sound auditing!

If only it was vertically integrated. Oh well, better luck next time!

till then, /dev/null is all the syslog I need!

Several problems with syslogd.

[defile]

Standard syslog has several problems which I think are quite serious.

• Remote logging is a joke. There is no authentication, and no notification whatsoever that the event was received by the remote syslog daemon. An attacker can fill the remote syslog with garbage data if they so choose.

• The records are entirely unstructured and not validated. The timestamp, hostname, and process id are all volunteered by the application, not something that's noted by syslogd.

• There is no guarantee whatsoever that an application that has called syslog() will have its messages safely recorded when the function returns. I'm not talking safely tucked away on disk if the system crashes, but even written into the buffer cache by syslogd when syslog(3) returns. See end of post for details.

• If syslog's receive buffer is full, syslog(3) will block. This means that if syslogd cannot keep up with the rate of messages, which is a really easy condition to find yourself in given that by default syslogd calls fsync() after every log file update, your system will slow to a crawl. You cannot even login(1) since most systems record this activity to security logs.

P.S. syslog() returns as quickly as possible. Try an experiment. Generate a random number, call syslog() with this number as a string, and then open() /var/log/messages, seek to the end minus 4096 bytes. Try to find the random number. I have tried it 20 times and never has the number been there by the time read() was called. It takes longer than an application doing syslog()/open()/lseek()/read() for syslogd to record it into to the buffer-cache, let alone fsync() it to disk.

Here's the UC license that comes with it

[Wee]

I don't need the karma or anything, but I've seen a lot of people mention (deride) the license under which the software was released. No, it's not GPLed, BSDed, whatever. However, it is essentially open, except for commercial use. You get source if you want it, you can modify it. I'd never actually seen the UC license, so I decided to see what the actual COPYING file that comes with the tarball says. Here is is:

Copyright 2002 The Regents of the University of California All Rights Reserved

Permission to use, copy, modify and distribute any part of this SDSC-syslog program for educational, research and non-profit purposes, without fee, and without a written agreement is hereby granted, provided that the above copyright notice, this paragraph and the following paragraphs appear in all copies.

Those desiring to incorporate this SDSC-syslog program into commercial products or use for commercial purposes should contact the Technology Transfer Office, University of California, San Diego, 9500 Gilman Drive, La Jolla, CA 92093-0910, Ph: (619) 534-5815, FAX: (619) 534-7345.

IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SDSC-syslog PROGRAM, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

THE SDSC-syslog SOFTWARE PROVIDED HEREIN IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. THE UNIVERSITY OF CALIFORNIA MAKES NO REPRESENTATIONS AND EXTENDS NO WARRANTIES OF ANY KIND, EITHER IMPLIED OR EXPRESS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE USE OF THE SDSC-syslog SOFTWARE WILL NOT INFRINGE ANY PATENT, TRADEMARK OR OTHER RIGHTS.

SDSC-syslog is developed by Tom Perrine at San Diego Supercomputer Center at the University of California, San Diego. Support for this effort is provided by Commerce Net (CN-NGI01-009).

After some not-so-trivial digging, I found the UC guidelines for releasing software. Essentially, any software written by a UC employee can be made "public" as long as procedures are followed and it's released for non-commercial use (with a license statement accompanying the software stating such).

Bash away at the software's non-GPLness, but I for one think it's pretty spiffy that anything a UC faculty, student of staff member writes can be given away, in source form, to the public. Anyone who works in the private sector who is allowed give away software written on the corporate dime can either speak up or hush up.

Anyway, cut 'em a little slack, would ya? They're trying.

-B

Re:Apache is not GPL

[FreeUser]

What do you use for webserving?

He probably uses apache, although he could be using any one of several free webservers, some of which are in fact GPLed.

Either you're an idiot or you're trolling. There is no in between. Personally, I think you're an idiot.

It is a pity you make such a good point about the diversity of free software licenses available, then ruin it with that sort of inane flamage.

First, he may or may not be trolling. I suspect probably not (but I could be wrong) ... his comment appears to be a more naive equation of Free Software==GPL, which of course is mistaken, as you correctly point out. Free software can be public domain, it can be BSD licensed, it can be Artistically licensed, it can be apache licensed, it can be LGPLed, indeed, it can be licensed under any number of such licenses.

Second, to say there is no in between is foolish. Almost as foolish as Dubya's "your with us or you're with the terrorists," which the Iranians quite correctly rebutted with "we are neither with you, nor are we with the terrorists, and you sir are a pathetic simpleton" (a nuance obviuosly lost on our current regime). There is a huge middle ground ... people often say provactive things in making very valid points.

Finally, he is hardly an idiot. Naive in equating the GPL with free software, but had his comment replaced the term GPL with "free software" it would have been very valid and on point. The core UNIX utilities and operating system need to be free software, unencumbered by constraints such as "no commercial use" (or the asinine "no use to violate human rights", where the definition of human rights varies from county to county, state to state, and very obviuosly nation to nation). On that point he is correct ... he simply needs to educate himself on the nuances of free software licenses, and the difference between free software and the GPL, which is merely a subset thereof. Hardly a sign of idiocy, merely a sign of ignorance, a condition that is easily corrected.

Re:Remote logging exists right now

[James+Willard]

But the point is that standard syslog still runs over the unreliable UDP transport and has no authentication to prevent forged log entries.

If the UDP packet happens to be dropped along the way (perhaps flooding a router or network with traffic to hope for packet loss), it won't make it into the logs.

Also, since there is no authentication and it's easy to forge a UDP packet, it would be possible for an attacker to carry out a DoS attack against your log server by filling it with useless data and filling up the disk.