Events to be logged (my addition) - use of special privilege - system start-up and stop - I/O device attachment/detachment - password changes - modification to software MP. Tom Perrine wrote: > > >>>>> On Mon, 26 Aug 2002 21:00:18 +0000 (GMT), Tina Bird <tbird@precision-guesswork.com> said: > > TB> whilst i'm enjoying the conversation about log formats and transport > TB> mechanisms, i feel obliged to point out that when i kicked off discussion > TB> #1 on the path to world domination, i was trying to build a list of events > TB> we'd like to see logged. > > OK, so we break it down into: > > * events to be logged (what is currently logged? What are we > missing?) > > - authentication (failures and successes) > - network connections (be able to log all, a'la tcp_wrappers) > - HW failures > - SW failures > - object accesses (?) > > Note: there is a *lot* of work in this field that is pretty old, > and at least asked all the right questions, even if today's > specific answers might be different. See _A Guide to > Understanding Audit in Trusted Systems_ (Tan Book) > (part of the rainbow series) > > A better way might be to define about a dozen buckets and start > putting messages from our own logs into them, whereever they fit. > If we find a message that doesn't fit into an already-defined > bucket, create a new bucket. This will tell us the kinds of > things we are already getting. Its the start of a taxonomy, if > nothing else. > > * format of event notifications (check IDMEF, Apache "common log format) > (looks like some kind of XML. Is there overlap with IDMEF?) > > * transport of events (syslog-reliable++ is probably the answer) > > So it looks like at least 2 of these three areas have standards-track > solutions. Yup, we;re back to Tina's original question: *what* > events do we care about? > > TB> as seems to be standard when we talk about logging, we have gone haring > TB> off after how to transport the data and how to parse the data and we've > TB> lost track of what bloody data we're after. arguments about "could it be > TB> standardized" notwithstanding, sniff, sniff, surely >>someone<< out there > TB> has opinions about other things they'd like to see? > > If we define the events, then at least new SW might follow the > definition instead of going off and inventing yalm (yet another log > message). > > --tep > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. ** Netdefence scanned this email for viruses, vandals and malicious content ** ************************************************************************************************** _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 09:52:44 PDT