Re: [logs] Secure Central Log Host

• Previous message: Jason Royes: "Re: [logs] Secure Central Log Host"
• In reply to: Jason Royes: "Re: [logs] Secure Central Log Host"
• Next in thread: Tevfik Karagulle: "Re: [logs] Secure Central Log Host"
• Reply: Tevfik Karagulle: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

mjr said:
> lot of simplifying assumptions you can make about logs:
>         - they are inserted in event-sequence

I think this is an important point to stress. syslogd records entries with
the timestamp from the originator. In a networked environment this can
be misleading when correlating logs based on that timestamp due to clock 
ambiguities or drifts. Log correlation should take into account the 
strict sequencing [1] that an "append-to-disk" centralized log system gives
you.

[1] As "strict" as you can get when taking into account packet loss,
network congestion, kernel buffering and other extenuating factors.

-- 
Matt Bing
NFR Security
Rapid Response Team
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tevfik Karagulle: "Re: [logs] Secure Central Log Host"
• Previous message: Jason Royes: "Re: [logs] Secure Central Log Host"
• In reply to: Jason Royes: "Re: [logs] Secure Central Log Host"
• Next in thread: Tevfik Karagulle: "Re: [logs] Secure Central Log Host"
• Reply: Tevfik Karagulle: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 12:11:35 PST