A primitive way of access control is offered in rsyslog via the $AllowedSender configuration directive. It permits the operator to specify hosts from which messages are being accepted. If the directive is not specified, messages from all hosts are accepted. If it is, the set is limited to those senders that match the configured criteria (this can be network addresses or host name). Access control can be configured for UDP- based and TCP-based protocols independently.
Note that this directive may be used to simplify firewall setup, where the firewall permits incoming traffic from all remote machines on the port in question. Then rsyslog ACLs are used to control who is actually permitted. The down-side of this approach is that the packets reach rsyslog and any vulnerability in it can be exploited. Please note that UDP addresses can easily be spoofed (though thankfully not as easy any longer on the public Internet thanks to more careful configuration on most ISP’s side). So an IP-based access control does not work very well for UDP (neither at the firewall nor at the rsyslog level – but the firewall may have more options at hand, given its comparatively broad knowledge of the perimeter). Continue reading