Re: [logs] reinventing syslog [was: Secure Central Log Host]

• Previous message: Darren Reed: "Re: [logs] SDSC Secure Syslog"
• In reply to: Marcus J. Ranum: "Re: [logs] reinventing syslog [was: Secure Central Log Host]"
• Next in thread: Richard Welty: "Re[2]: [logs] reinventing syslog [was: Secure Central Log Host]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2002-12-05 at 14:07, Marcus J. Ranum wrote:
> 
> >> I think I'd really like to have both timestamps in the final
> >> destination log file.  The one the client put on, AND the one put on
> >> by the final "write-to-file" daemone.
> 
> What's the point?

Forensics.

Yeah, i know, in an ideal world, every system would run NTP, and the
wolves and the sheeps would peacefully sip Coke together from the same
bottle. However, in the _real_ world, sometimes you ask yourself: "what
was that system's idea of time?"
Having a timestamp from the syslog server is useful to correlate between
logs from different machines.
Having the original timestamp of the machine that send the datagram is
useful to correlate between events that took place on that machine
alone.

And it's not that big a deal anyway, it's just a timestamp, a few bytes
or so.

> For most purposes, both timestamps would be
> inaccurate enough that you're not really storing any useful information.

Right, but you're not aiming for absolute time precision, but most
usually for corellation between events. Time refferences on different
machines not always being perfectly in sync, the more info you have the
better.

> I believe that recording the messages with the originating system's idea
> of the time, and the receiving system's idea of the _sequence_ is probably
> sufficient. As long as you're keeping things in the correct sequence on
> the server, you're OK.

I agree, provided that you give a unique sequence to each datagram.

For example, let's admit you're logging to a database (yeah, i know) and
you rely on a self-incrementing column to keep track of the sequence.
But then, if you log different (groups of) hosts to different tables,
you loose corellation between those tables.

Overall, it's more simple to use the local timestamp. Simple, intuitive,
works everywhere.

> In other words: syslog is bad enough that you're not going to make it
> much better - may as well leave it alone.

Heck, no. What i want to see is a better syslogd implementation, and a
better syslog protocol.
Improvements _are_ possible.

-- 
Florin Andrei

"If you play the WinXP CD backwards, you get a satanic message."
"That's nothing, if you play it forward, it installs WinXP."

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tom Perrine: "Re: [logs] SDSC Secure Syslog"
• Previous message: Darren Reed: "Re: [logs] SDSC Secure Syslog"
• In reply to: Marcus J. Ranum: "Re: [logs] reinventing syslog [was: Secure Central Log Host]"
• Next in thread: Richard Welty: "Re[2]: [logs] reinventing syslog [was: Secure Central Log Host]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 16:07:32 PST