1

I am trying to Forward syslogs and Event Logs across networks (internet).

Win Computer ----|              (There will be multiples
                                 of these forwarding to a single source)
Win Server ------|      
                 >> Internal Syslog Server >> || >> External Syslog Server >> Splunk
Win Server ------|

Win Router ------|

I am wondering what it would take to implement this (I can get the logs to the Internal Syslog Server), but my issue is insuring that all the logs from the internal server are kept authentic and look the same when they get to splunk without being changed. Also will likely needs encryption.

There will be 4-5 different different Internal Syslog Servers forwarding to this external source.

So my question about this is, do I go with rsyslog, syslog-ng etc.. or do I go with a VPN on the Internal Syslog Server forwarding the events through the VPN?

If syslog forwarding using encryption/TCP is better then is it possible/doable?

m3rl1n
  • 13
  • 3

1 Answers1

1

Syslog can be encrypted with TLS, which will use TCP. TCP guarantees the deliverability of the packets (as long as your application does the right thing), and TLS takes care of the encryption. Traditionally, TCP and TLS/SSL are thought of as having too much overhead which is why people avoided it in the past. But for modern networks this is totally doable.

To get started, get a sense of RFC rfc5425: Reliable Delivery for syslog and rfc5425: Transport Layer Security (TLS) Transport Mapping for Syslog.

TCP and TLS is possible with rsyslog, see http://www.rsyslog.com/doc/v7-stable/tutorials/tls.html#abstract

Community
  • 1
Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
  • If I am trying to forward the Event Logs along with (likely just end up using a EventLog =>> Syslog) will this matter? Also about ensuring that events were forwarded "as if the end server was within the local network"? – m3rl1n Mar 22 '14 at 15:53