On Wed, 2002-12-04 at 14:00, Tevfik Karagulle wrote: > > Wouldn't it be enough to configure your central log host as an NTP server > for machines generating syslogs or other logs ? Sometimes you cannot do that; think, for example, of the cases when you need to "poke yet another hole" through some firewall to allow a host to send syslog datagrams to the logging server. In that case, poking two holes (syslog and NTP) instead of one (syslog) might make a big difference. (If you don't believe one more protocol poked through the firewall can be the cause for a major fuss, go ask the closest security analyst :-P) The true solution is to modify syslogd. This software is so old and outdated, i'm perpetually amazed so very few people notice. Changing the code to use local timestamps instead of the ones provided by the datagrams should be no big deal. Some external configuration flag could change the behaviour between the default (use the datagrams' timestamps, or use local time). I don't care what the RFC says (if there really is any mention in it to which time should be used); sometimes you just need to do it in a different way. And logging, in the Unix world, is broken anyway. Just look at how every daemon has to reinvent the wheel and come up with its own logging thing. In an ideal world, there would be a unique syslog daemon, and everything would be "aware" of it: the kernel, every daemon, different apps that need to use syslog, etc. That means a set of standardized syslog message formats, generic enough to be used by all aforementioned entities, flexible enough to be easily extented, clever enough to satisfy everyone's needs without compromises. That means a rewritten syslog network protocol, to provide support for these message formats, and some other neat features (some of them already mentioned recently on this mailing list: encryption, reliability, etc.). That means a completely new architecture for the syslog daemon, to support all these things, but also to scale gracefully in demanding enterprise environments, without forgetting the smallest embedded systems. <plug> A proposal for such a syslog daemon architecture can be found here: http://florin.myip.org/syslog/ I wrote it for the Msyslog project (check SourceForge). This document contains quite a few things that i learned while i designed and implemented a logging database in a big enterprise environment. I'm not sure if the msyslog team (Alejo Sanchez, Fredrick Paul Eisele) will use it in future versions (it's up to them, really), but that would be a good thing, i suppose. The document, anyway, is open to anyone who finds these ideas interesting. </plug> -- Florin Andrei It's ok to use the names of your pets or children as passwords as long as they contain several non-alphanumeric characters. _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 19:23:12 PST