>> I think I'd really like to have both timestamps in the final >> destination log file. The one the client put on, AND the one put on >> by the final "write-to-file" daemone. What's the point? For most purposes, both timestamps would be inaccurate enough that you're not really storing any useful information. I believe that recording the messages with the originating system's idea of the time, and the receiving system's idea of the _sequence_ is probably sufficient. As long as you're keeping things in the correct sequence on the server, you're OK. Huh - weird idea - you _could_ keep a differential on the server and keep statistics about how inaccurate all the clocks on your syslog sources happen to be. ;) I suppose you could even learn the skews and compensate/adjust the times, but then you're trashing your forensic value completely. In other words: syslog is bad enough that you're not going to make it much better - may as well leave it alone. If you care about time, run ntp and leave it at that. You'll have "mark"s in the server's log files that are presumably ntp-syncd. mjr. --- Marcus J. Ranum - Computer and communications Security Expertise mjrat_private (http://www.ranum.com) _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 14:18:52 PST