So I've got a few servers which I'd like to log centrally but obviously I don't want to pass the data insecurely over the internet.
I've tried syslog-ng but can't make it work in a secure way, a normal ssh -L PORT:localhost:PORT user@host SSH tunnel won't work because I believe that makes the logs appear to come from the local machine, and a VPN seems a bit like overkill.
Have you tried syslog-ng and stunnel?
NOTE:
Stunnel (http://www.stunnel.org) is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
Short answer: VPN
It may seem overkill, but it is the right answer and not that complicated to set up.
Rsyslog can do this. Encrypting Syslog Traffic with TLS
You might also check out the free Kiwi Secure Tunnel http://www.solarwinds.com/products/kiwi_syslog_server/related_tools.aspx
Use syslog-ng or another syslog daemon that supports TCP.
Send the data over an encrypted tunnel. Don't use an ssh tunnel, it is too fiddly.
UDP syslog is a historical braindamaged protocol that should have been eliminated long ago. If your vendor provides it by default, please lean on them.
If your vendor does not provide a syslog solution that signs each message before sending it on, lean on them.
The software is easy, the algorithms are easy. The politics of getting it installed by default are not.
I probably wouldn't send log data over the internet in the first place, but install a centralized loghost at the location(s) where needed.
These days, I prefer rsyslog to syslog-ng. It is a near drop in replacement, and has a variety of papers and howtos, including one on sending encrypted data with TLS/SSL (as of v3.19.0), older versions can still use stunnel.
In my experience with both rsyslog and syslog-ng, rsyslog wins out in ease of configurability, especially since you can use your existing syslog.conf, and add onto that.
For what it's worth, Rsyslog is the default syslog daemon on Debian Lenny (5.0), Ubuntu and Fedora.
I'm using rsyslog with tls. There is some out of scope prep work: Deploy a local CA, add the CA's cert to each host, generate individual certs for each host. (now all of your hosts can talk ssl to each other)
I also needed to install rsyslog-gnutls:
sudo apt-get install rsyslog-gnutls
I have also restricted the outgoing syslog connection (tcp 514) so my hosts can only connect to my rsyslog server, and created an incoming whitelist on the rsyslog server side so only my hosts can connect.
in /etc/rsyslog.conf
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/my_keys/internal_CA.crt
$DefaultNetstreamDriverCertFile /etc/my_keys/my_hostname.crt
$DefaultNetstreamDriverKeyFile /etc/my_keys/my_hostname.key
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer my_syslog_server.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
*.* @@my_syslog_server.com:514 # forward everything to remote server
It looks like the config for syslog-ng is even easier. (though I haven't tried this) syslog-ng /etc/syslog-ng/conf.d/99-graylog2.conf
destination remote-server {
tcp ("my_syslog_server.com" port(514)
tls(ca_dir("/etc/my_keys/"))
);
};
