Vincent,
Sure. That would be a problem.
I was thinking of an alternative where the agent generates a new
signature of the XML document (the translated syslog message) using
XML-DigitalSignature from W3C.
(Before doing so, the agent may check the original syslog signature.)
As usual with security considerations, it would be more
costly both for:
- processing time on agent side (check old and generate new
signature),
- storage on the manager side (An XML-DS document might consume more
storage than a signed syslog message).
There is an importnat legal issue: AFAIK (I am not a lawyer), this would
be a "derived signature" and not an "original signature". I have been
told that (at least in the US) you need to have an original signature to
use the log as evidence in court. Other voices said that if one can
argue that the derived signature is as good as the original one AND can
proove this point, then it *might* be used as evidence, too. The problem
is that you must very carefully argue that no tampering is possible at
the gateway.