Re: [logs] a small reminder

• Previous message: Tina Bird: "Re: [logs] a small reminder"
• In reply to: Tina Bird: "[logs] a small reminder"
• Next in thread: Michael Poon: "Re: [logs] a small reminder"
• Next in thread: Mike Poor: "Re: [logs] a small reminder"
• Reply: Michael Poon: "Re: [logs] a small reminder"
• Reply: Darren Reed: "Re: [logs] a small reminder"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> On Mon, 26 Aug 2002 21:00:18 +0000 (GMT), Tina Bird <tbird@precision-guesswork.com> said:

    TB> whilst i'm enjoying the conversation about log formats and transport
    TB> mechanisms, i feel obliged to point out that when i kicked off discussion
    TB> #1 on the path to world domination, i was trying to build a list of events
    TB> we'd like to see logged.

OK, so we break it down into:

* events to be logged (what is currently logged?  What are we
  missing?)

    - authentication (failures and successes)
    - network connections (be able to log all, a'la tcp_wrappers)
    - HW failures
    - SW failures
    - object accesses (?)

    Note: there is a *lot* of work in this field that is pretty old,
    and at least asked all the right questions, even if today's
    specific answers might be different.  See _A Guide to
    Understanding Audit in Trusted Systems_ (Tan Book)
    (part of the rainbow series)

    A better way might be to define about a dozen buckets and start
    putting messages from our own logs into them, whereever they fit.
    If we find a message that doesn't fit into an already-defined
    bucket, create a new bucket.  This will tell us the kinds of
    things we are already getting.  Its the start of a taxonomy, if
    nothing else.

* format of event notifications	(check IDMEF, Apache "common log format)
  (looks like some kind of XML.  Is there overlap with IDMEF?)

* transport of events (syslog-reliable++ is probably the answer)

So it looks like at least 2 of these three areas have standards-track
solutions.  Yup, we;re back to Tina's original question:  *what*
events do we care about?

    TB> as seems to be standard when we talk about logging, we have gone haring
    TB> off after how to transport the data and how to parse the data and we've
    TB> lost track of what bloody data we're after.  arguments about "could it be
    TB> standardized" notwithstanding, sniff, sniff, surely >>someone<< out there
    TB> has opinions about other things they'd like to see?

If we define the events, then at least new SW might follow the
definition instead of going off and inventing yalm (yet another log
message).

--tep
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Wright, Joseph G (Gregory), SOLCM: "RE: [logs] Please be aware of syslog-sec IETF group..."
• Previous message: Tina Bird: "Re: [logs] a small reminder"
• In reply to: Tina Bird: "[logs] a small reminder"
• Next in thread: Michael Poon: "Re: [logs] a small reminder"
• Next in thread: Mike Poor: "Re: [logs] a small reminder"
• Reply: Michael Poon: "Re: [logs] a small reminder"
• Reply: Darren Reed: "Re: [logs] a small reminder"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 14:50:35 PDT