Short answer: a)
Long answer below:
In particular, we are aiming at an rsyslog configuration where
anything
passed to /dev/log is automatically annotated with "pid", "uid" and
other fields; at that point the information is 100% reliable.
Even that is not 100% true: for example, systemd fakes this information when it
"forwards" log messages from the real log socket to the one systemd provides. If
systemd can fake SCM_CREDENTIALS info, other apps can do as well. So there is no complete
trust even at this level.
Similarly, syslog messages can come from remote hosts over TCP, and
if
those hosts are similarly configured by the same administrators, the
data is reliable as well.
Ignoring the local problem mentioned above for the moment: if RFC5425 mutual TLS
cert-based auth is in place, you can be sure that the remote system is actually what it
tells it is. Unfortunately, rsyslog does not currently expose the remote cert name. This
is on the todo list and waits for the new hierarchical property engine which I hope to
begin "these days" (blog post coming up).
Note that there is a solution described in RFC5848, "signed syslog messages".
This permits signing of messages and thus provides ultimate proof of authenticy.
Unfortunately, the RFC does not support the dynamic filtering usually found in practice.
This is the prime reason I was so far hesitant to implement it. But it may be worth having
another look at that issue. The second problem is that the authenticy goes back to the
signer, which usually is the syslogd but not the log-emitting application. If the syslogd
receives faked information (see first point above), these signatures provide a false sense
of security. Even if we ignore that problem, it would probably be best to provide
signature capability in the logging library vs. the syslogd.
Rainer