On Mon, 2002-08-26 at 17:47, Chris Adams wrote: > On Sunday, August 25, 2002, at 06:02 , Russell Fulton wrote: > > What would also be useful is some indication of the accuracy of the > > clock. We don't need this in every record but it would be useful in a > > file header. > > What do you mean by accuracy - precision to a known fraction of a second > or skew from UTC? In the former case I'd like to simply make the > timestamp field accept floating-point values. In the later, see below. Well, allowing better than 1 second accuracy should definitly be part of any standard (an awful lot can happen in a second these days!) But what I was really getting at was reliability rather than accuracy (poor choice of words on my part). A couple of cases spring to mind: 1/ the one you mention, system is known to lie about the time (you have a laptop that was used by a former employee and don't know root password or the bios password and are too busy right now to do a complete reinstall just to change the time). 2/ Some machines are constantly sync'ed using NTP some sync'ed on boot, some are not sync'ed at all. Having that information included with the log file could be useful if at some time in the future you need to do correlations with other files. If you don't know how accurate the clocks are it is dam near impossible. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 09:39:31 PDT