On Mon, 18 Feb 2002, Yura Socolov wrote: [ interesting points on pushing or pulling logs to a central logging infrastructure snipped ] > The point is (you probably wonder by now =), choosing between push and pull and Perhaps one choice doesn't exclude the other ... The IPFC way would be the following : - monitored machines send their logs to an intermediary server (no extra listening ports on the monitored machines), very low privileges on the intermediary server. -> pushing - central logging server fetches logs from the intermediary server -> pulling So you can see that the intermediary server basically has no rights to connect to the rest of the network *at all* Moreover, the logs can be signed so that end-to-end authentication is possible. Of course some failure modes exist, but these are of the DoS nature - if the central logging server does sufficient format validation on the fetched data (if you see something else, I'd like to hear of it). Best regards, Tycho -- Tycho Fruru tycho.fruruat_private http://www.fruru.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 15:03:57 PST