Information
By default, syslog-ng does not listen for log messages coming in from remote systems.
Rationale:
The guidance in the section ensures that remote log hosts are configured to only accept syslog-ng data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote syslog-ng messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location.
Solution
On designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and configure the following lines are appropriately:
source net{ tcp(); };
destination remote { file('/var/log/remote/${FULLHOST}-log'); };
log { source(net); destination(remote); };
On non designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and remove or edit any sources that accept network sourced log messages.
Run the following command to reload the syslog-ng configuration:
# pkill -HUP syslog-ng
References:
See the syslog-ng(8) man page for more information.