Background: Remote log aggregation is regarded as a way to improve security. Generally, this addresses the risk that an attacker who compromises a system can edit or delete logs to frustrate forensic analysis. I've been researching security options in common log tools.
But something feels wrong. I can't see how to configure any of the common remote loggers (eg rsyslog, syslog-ng, logstash) to authenticate that an incoming message truly originates from the purported host. Without some kind of policy constraint, one log-originator could forge messages on behalf of another log-originator.
The author of rsyslog seems to warn about authenticating log data:
One final word of caution: transport-tls protects the connection between the sender and the receiver. It does not necessarily protect against attacks that are present in the message itself. Especially in a relay environment, the message may have been originated from a malicious system, which placed invalid hostnames and/or other content into it. If there is no provisioning against such things, these records may show up in the receivers’ repository. -transport-tls does not protect against this (but it may help, properly used). Keep in mind that syslog-transport-tls provides hop-by-hop security. It does not provide end-to-end security and it does not authenticate the message itself (just the last sender).
So the follow up question is: what is a good/practical configuration (in any common log tool of your choice -- rsyslog, syslog-ng, logstash, etc) which provides some amount of authenticity?
Or... if nobody authenticates log data, then why not?
--
(Aside: In discussing/comparing, it may help to use some diagrams or terminology from RFC 5424: Section 4.1: Example Deployment Scenarios -- e.g. "originator" vs "relay" vs "collector")