How To Avoid Source Spoofing In Centralized Syslog Environments

An obvious weakness of the syslog network protocol is the ease of spoofing messages into a central syslog server.   The default use of UDP as a transport and lack of any sort of authentication, in fact, make it trivial to spoof any part of a syslog message.

The most concerning issue with spoofing is faking the sending host.  An attacker can create a lot of chaos by stuffing log files with bogus errors, creating a denial of service potential or an opportunity for the attacker to distract administrators with false alarms while an attack takes place.

The most basic way to improve the situation is to transport syslog over TCP rather than UDP.  Both the syslog-ng and rsyslog servers support this natively.

Alternatively, syslog can be tunneled over stunnel, as described here.