Hi, Wouldn't it be enough to configure your central log host as an NTP server for machines generating syslogs or other logs ? As long as all those machines are placed in a high capacity network, drift problems would be minimal and under control. If this is really a big issue for your network and environment, you might also consider out-of-band NTP sync. In that way, It is also possible timestamping all syslog entries (or other logs!) centrally by taking time related issues into consideration. Best regards, Tevfik Karagulle ITEFIX Consulting mail tevfikat_private, web http://www.itefix.no Logrep - a logfile extraction and reporting system - http://logrep.sourceforge.net ----- Original Message ----- From: "Matt Bing" <mbingat_private> To: <loganalysisat_private> Sent: Wednesday, December 04, 2002 6:59 PM Subject: Re: [logs] Secure Central Log Host > mjr said: > > lot of simplifying assumptions you can make about logs: > > - they are inserted in event-sequence > > I think this is an important point to stress. syslogd records entries with > the timestamp from the originator. In a networked environment this can > be misleading when correlating logs based on that timestamp due to clock > ambiguities or drifts. Log correlation should take into account the > strict sequencing [1] that an "append-to-disk" centralized log system gives > you. > > [1] As "strict" as you can get when taking into account packet loss, > network congestion, kernel buffering and other extenuating factors. > > -- > Matt Bing > NFR Security > Rapid Response Team > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 17:38:45 PST