>>>>> On Thu, 5 Dec 2002 17:59:52 +1100 (Australia/ACT), Darren Reed <avalonat_private> said: DR> In some mail from Tom Perrine, sie said: DR> I have yet to see this "product" mentioned on the syslog-secure DR> IETF list that has been the home for online discussion about DR> syslog-reliable, so I would advise you to mention it there with DR> perhaps a little more modesty before making bold claims like you DR> have above, because I for one would challenge your "first" claims DR> about "very high performance and forensically-sound auditing" DR> unless they're markedly different to current/traditional methods DR> for providing this. Sorry, its late, I've been writing grant proposals for 3 weeks, and I've got grad students who just aren't paying attention. Its not a product, its the beginning of an open source project. As soon as the UC lawyers let us, its open source with a BSD license. We want it to be a community resource. Right now, we need more people to pound on the UDP parts while we finish up the 3195 parts. @#)$(*@# BEEP libraries.... We surveyed all the syslog daemons we could find, last year, and again more recently. No one mentioned having running code for RFC 3195 compliant stuff. I don't recall finding anyone who admitted working on a 3195 implmentation. I used to read the syslog-reliable list, when 3195 was still an internet draft. I saw lots of protocol arguments, but no one that was writing code. If that's changed, I should probably revisit the list. If there are other availble implementations, I'd certainly like to hear about them. The #$@# BEEP libraries are *still* giving us fits, and we'd love to hear what other people are trying instead of the roadrunner or other BEEP libs. I have a former student who says he could drink bad beer for a month solid, take a sledgehammer to his own head and write better libs. Using a crayon. He's been fighting the BEEP stuf for several months (part time, in the last quarter of his BS CSE). If someone else has a syslog project that is shooting for 3195, it was pretty well hidden, at least last year. Since you are "challenging" our claims, got code? :-) As for high-performance, all the other syslogs seemed to be aimed at more flexibility in switching, some other weally cool features, or database back-ends. For example, syslog-ng and pattern matching. I can pretty much guarantee that no one is going for high peformance if they are planning to insert records into a SQL database on the fly, unless they have a Really Big DB server. We looked at using part of our E15K for a log DB server and decided not to go there yet. Out goal is to be able to saturate (or accept) at least one full-speed gig-E connection. If we can't drive gig-E and the disks at full-speed, all the time, we've got work to do. I'd like to be able to saturate or accept multiple gig-Es, but I think the PCI bus will stroke out first. I've got a server with 2 PCI busses for performance testing, but we're not there yet. Performance is a stated goal. Others are doing *very* well, like modular syslog and syslog-ng, but I don't think they've stated that high performance is a primary goal. We want to log *everything*. We currently save about 1.7 million syslog records each day. We only have about 1-2 million web hits, though. I consider SDSC.EDU a "small site". Our target user is a large e-commerce site, pushing everything through syslog, generating 50 million hits a day and about 10 million syslog records. As for "forensically sound", I do happen to have a forensic scientist (who is also a lawyer) on the project. We work with local FBI and the Regional Computer Forensics Lab in San Diego. In fact, we've taught UNIX for their examiners. Two of the four members of the team have served as expert witnesses in Federal or State court, concerning digital evidence and logs. The third (the lawyer) teaches classes to Federal judges concerning digital evidence, admissibilty and computer forensics. We have a contract from US DARPA (indirectly) to do legal and technical work on forensics and log systems. We serve on the civilian oversight board of the local high-tech crime task force. One of us chairs the board. I think we understand forensics. Some of us came from Orange Book A1 operating system development. I think we understand "assurance". Yes, I think our announcement is a little ambitious. But that's where we are, and as soon as the @#)$(@# BEEP libraries stop leaking memory like tinfoil colanders, we'll nail the syslog-reliable part as well. If, as Colossus said, "There is another...", I'd like to meet them so we can make sure that we inter-operate and help the 3195 draft proceed to full standard status. --tep -- Tom E. Perrine <tepat_private> | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 08:08:21 PST