>>>>> On 27 Aug 2002 14:57:39 +1200, Russell Fulton <r.fultonat_private> said: RF> 1/ the one you mention, system is known to lie about the time (you have RF> a laptop that was used by a former employee and don't know root password RF> or the bios password and are too busy right now to do a complete RF> reinstall just to change the time). RF> 2/ Some machines are constantly sync'ed using NTP some sync'ed on boot, RF> some are not sync'ed at all. Having that information included with the RF> log file could be useful if at some time in the future you need to do RF> correlations with other files. If you don't know how accurate the RF> clocks are it is dam near impossible. I think that this is a new category of "things to log": *characteristics of the data source*, which can include time, physical location, etc.. I think that there is some "prior art" in IDMEF for this, but its been a while since I read any drafts. One way to do this is to include a periodic "I think my time is" message. The difference between this and the time on the sink (assumed to be good!) is useful, and several of these messages with different offsets indicate either a bad clock or interesting network problems. The message might also indicate the quality of the clock, how it is sync'ed (NTP stratum?), etc. Could we agree on some terminology from the RFCs: device or source - initial creator of a log record relay - relays log records sink - gathers and stores log records A host (or device) may act in any combination of these roles. --tep _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 10:25:57 PDT