Which Logging Protocol Do I use?
Updated: Jun 11, 2019
We had a choice today at work about which logging protocol to use from a vendor. UDP, TCP, TCP over TLS or install the Splunk Forwarder and manage that.
In a perfect world we'd standardize but the reality is there are many reasons to select one specific protocol over another. In most cases, I find this just be to because of vendor support issues, but there are others.
UDP vs TCP - which is more secure? When given an option on UDP vs TCP, I have noticed people telling me that TCP is more secure. They use it as a compromise between configuring a certificate based logging protocol and just using a UDP stream.
Ultimately, what are you talking about when you say security? Without context, it's a loaded question. If I had to sum it up, neither is secure without certificates but there are benefits (and costs) for going with TCP.
Confidentiality - Both UDP and TCP are clear text. You cannot assume that your message is not being read by the bad guys. Integrity - Neither protocol runs a true MD5 on the source data and then what arrives on your logging system like Splunk can. TCP does offer a variety of error, detections and checksum on the datagram/segment itself. It's not true end to end, but still a major improvement over UDP. Availability - TCP offers retransmit while UDP is lossful. You might find this feature useful in environments where the network is unstable, such as a hybrid Cloud situation of dealing with end hosts that are error prone.
"TCP is a reliable protocol that adds a sequence number to the data packets as it sends out a stream. This helps the recipient arrange and stitch back the message together. UDP doesn't add a number to its header, which means the recipient has no way of knowing if it received all the packets and in the right order."
So which do you pick? Most of us find that that confidentiality of the both solutions is a deal breaker and move to another protocol completely. If Syslog over HTTPS isn't an option, look for Filebeat and Splunk Forwarders as the method of getting your logs off the box in a way that keeps your security team happy.
What if I HAVE to use Syslog over UDP or Syslog over TCP? Consider using an VPN tunnel between your endpoints or perhaps log to a Syslog server in the same subnet, then resend in a secure manner. Most PaaS services have this as a default option. But if you have to do it manually here ya go. https://blog.boyeau.com/cheat-sheet-establishing-a-vpn-tunnel-between-2-linux-servers/
As a "Splunk" guy I would like everyone to use the Universal forwarders method, but I get that's not pragmatic. The answer more or less ends up being that you should select the most secure protocol your vendor allows.
I often see people confused on UDP vs TCP
I typed up this little diagram as a cheat sheet for my sysadmins to use. Let me know if you see any errors.