Is this just for OSSEC traffic? If you want all syslog to go to your loghost securely then I would suggest either stunnel or ssh tunneling. stunnel will require more config than ssh, but doesn't require a user on the client system.
The easiest way is to create a locked down user on your clients with rsa keys, then on your loghost start reverse tunnels to them in rc.local or somewhere ssh -R514:loghost:514 -luser client Then have all your clients send syslog to localhost:514 which will tunnel over SSH to your loghost. This isn't very efficient for really large volumes of syslog but I do about 100 mbps with this and no problems. I think syslog-ng has a paid version that does tcp with encryption but I'm not sure. That hasn't really been an option for me. On Aug 24, 10:54 pm, Navid Paya <[email protected]> wrote: > Hi > I've setup my logging solution but there's one more step that needs to be > taken. I'm using SuSE 10 which uses syslog-ng as its logging facility. The > problem is syslog-ng uses raw tcp traffica which is not secure at all. Now I > really need to encrypt the traffic. I've read about using stunnel to pipe an > encrypted traffic from syslog clients to the server. I wanted to know if > anyone has a experience in this matter, and if yes should I make any changes > to the ossec configuration? And do you possibly know a better way? Just one > thing, SuSE 10 is a must in this scenario 'cause its part of the firm's > policy and there's absolutely nothing I can do to change it. Thank you all > as always. This mailing list has been a great help to me. > > Navid
