On Monday, Aug 26, 2002, at 19:57 US/Pacific, Russell Fulton wrote: > 2/ Some machines are constantly sync'ed using NTP some sync'ed on boot, > some are not sync'ed at all. Having that information included with the > log file could be useful if at some time in the future you need to do > correlations with other files. If you don't know how accurate the > clocks are it is dam near impossible. Unless we just prominently document the problem and otherwise punt the issue, I see two choices. The best one would be including something like NTP in the spec to determine the relative offsets between the clients and the log server at periodic intervals. This would give accuracy at the expense of adding a non-trivial amount of additional work for implementors. As a compromise what do you think about having any relay or log server simply add a local time element to any message which differs from its clock by more than a defined period? That'd still leave network delays but it would help us track down consistently wrong sources or relays. We'd probably also need that element to include some info about its time source and when it was last synced since it's easy to imagine scenarios where a remote network's relay could lose connectivity to the NTP server, too. Chris _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 10:34:13 PDT