In a traditional network design, is it better to locate the syslog server inside the secure network due to its value, and poke a hole inward for DMZ hosts to publish? As opposed to placing the syslog in the DMZ or its own zone. Is a syslog daemon low risk? Or am I approaching the problem fundamentally wrong?
<i>If you need real time syslog</i>, the syslog servers could be in the trusted zone and use syslog over TLS, limiting connections inbound to those that have proper certificates. [1] Also verify the firewall only permits the port you have syslog listening on. If your syslog clients support spooling, it is a good idea to do this should they get cut off from the trusted servers for a period of time. RSyslog supports spooling. Also make sure you enable TCP socket keepalive <i>TCP since you are using TLS and socket keepalive since syslog is passing through a firewall</i>.<p>Ensure the syslog servers are running some form of mandatory access controls, such as AppArmor or SELinux so that syslog can only read and write where it is expected to in the event someone or something attempts a 0-day buffer overflow and obviously keep everything up to date on patches.<p><i>If you do not need real time syslog</i> and this is just for archival purposes then you can reverse the flow, reaching out to the DMZ from a trusted zone and pull in logs hourly, daily via rsync over SSH or Chroot SFTP-Only if you need further reduction of exposure. Rsync has options to read updated portions of the files if your logs get really big. The LFTP client using the mirror+sftp subsystems can partially replicate some behavior of Rsync for use in Chroot SFTP-Only environments.<p>[1] - <a href="https://www.rsyslog.com/doc/tutorials/tls.html" rel="nofollow">https://www.rsyslog.com/doc/tutorials/tls.html</a> [short version]