Syslog accept reports from non-accepted nodes
We don't refuse reports from non-accepted node. That may cause disponibility problem (DoD, filling of the base leading to slow query or filling of the harddrive, etc) and since 3.0, it may display erroneous "changes" for rules.
#1 Updated by François ARMAND over 3 years ago
Most likelly we need to use: http://www.rsyslog.com/doc/rsconf1_allowedsender.html and have system rules for relays and root server that configure them correctly.
#5 Updated by Benoît PECCATTE over 3 years ago
- Status changed from 8 to Discussion
- Assignee set to Nicolas CHARLES
We are missing the list of IP to be authorized somewhere in a a rudder variable.
But do not have them yet since there is a problem getting those IP:
- If there is a NAT
- If there is more than one IP on the agent
- using hostname and reverse DNS : big performance hit and probably not available in rsyslog
- trying to collect real source ip from agents : we would need to find the information and to manage configuration transition
- using only the allowed network : easy but does not solve the case of removed agent
NCH, do you have an idea ?
#16 Updated by Vincent MEMBRÉ over 3 years ago
- Status changed from Released to New
- Assignee changed from Nicolas CHARLES to Benoît PECCATTE
- Target version changed from 3.0.5 to 3.0.6
#38 Updated by Jonathan CLARKE over 1 year ago
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Operational - other Techniques | Technique editor | Rudder settings
- Priority set to 50
I assume this would be simple enough to do based solely on allowed networks?
#50 Updated by Benoît PECCATTE 8 months ago
- Effort required set to Large
- Priority changed from 63 to 38
There is no simple version based on allowed network, since the problem is rsyslog itself.
"Some versions of rsyslog segfaults when receiving logs from disallowed senders. It happens only on TCP."
As long as we support those versions, we are stuck.