Ask HN: Best place to locate syslog for DMZ hosts?
In a traditional network design, is it better to locate the syslog server inside the secure network due to its value, and poke a hole inward for DMZ hosts to publish? As opposed to placing the syslog in the DMZ or its own zone. Is a syslog daemon low risk? Or am I approaching the problem fundamentally wrong?
1 comment
[ 0.18 ms ] story [ 18.3 ms ] threadEnsure the syslog servers are running some form of mandatory access controls, such as AppArmor or SELinux so that syslog can only read and write where it is expected to in the event someone or something attempts a 0-day buffer overflow and obviously keep everything up to date on patches.
If you do not need real time syslog and this is just for archival purposes then you can reverse the flow, reaching out to the DMZ from a trusted zone and pull in logs hourly, daily via rsync over SSH or Chroot SFTP-Only if you need further reduction of exposure. Rsync has options to read updated portions of the files if your logs get really big. The LFTP client using the mirror+sftp subsystems can partially replicate some behavior of Rsync for use in Chroot SFTP-Only environments.
[1] - https://www.rsyslog.com/doc/tutorials/tls.html [short version]