RE: [logs] reinventing syslog [was: Secure Central Log Host]

From: Rainer Gerhards (rgerhardsat_private)
Date: Fri Dec 06 2002 - 04:18:17 PST

  • Next message: Darren Reed: "Re: [logs] SDSC Secure Syslog"

    I think it definitely makes sense to have both time stamps. This is
    especially the case if you (try to) sync the router clocks.
    
    However, we have seen that the "received at" timestamp is the most
    valuable, especially if the devices follow syslog RFC which prohibits TZ
    information in the syslog time stamp...
    
    Honestly, I think it would be good to have some improved syslog protocol
    with
    
    A) simple tcp connections (_not_ BEEP)
    B) some more meta data (like full blown time stamps)
    C) support for larger message sizes (we deal with Windows events and
    1024 bytes is pain..)
    D) optional encryption
    
    My personal opinion on the new syslog RFC series is that these are
    overkill at some point weak in others and I think this is the reason so
    few out there start implementing it. After struggling some time with
    BEEPCore on Win32 we decided to wait until the market sees a need for it
    ;) And BEEP doesn't even solve all the issues we see...
    
    Ok, my 2 cents to syslog rfc in general ;)
    
    Rainer Gerhards
    Adiscon
    
    
    > -----Original Message-----
    > From: Tom Perrine [mailto:tepat_private] 
    > Sent: Thursday, December 05, 2002 10:36 PM
    > To: eravinat_private
    > Cc: florinat_private; loganalysisat_private
    > Subject: Re: [logs] reinventing syslog [was: Secure Central Log Host]
    > 
    > 
    > >>>>> On Thu, 5 Dec 2002 13:51:03 -0500 (EST), "Ed Ravin" 
    > >>>>> <eravinat_private> said:
    > 
    >     ER> Florin Andrei writes:
    >     >> The true solution is to modify syslogd.  [...]
    >     >> Changing the code to use local timestamps instead of 
    > the ones provided
    >     >> by the datagrams should be no big deal. Some external 
    > configuration flag
    >     >> could change the behaviour between the default (use 
    > the datagrams'
    >     >> timestamps, or use local time).
    > 
    >     ER> syslog-ng already supports this, with its 
    > "use_time_recvd()" option.
    >     ER> You can also do your remote logging via TCP to reduce 
    > the chance
    >     ER> that you are receiving spoofed data.
    > 
    > I think I'd really like to have both timestamps in the final 
    > destination log file.  The one the client put on, AND the one 
    > put on by the final "write-to-file" daemone.
    > 
    > Does this make sense, or an I just being overly {pedantic, 
    > paranoid, feature-crazy}?
    > 
    > --tep
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private 
    > http://lists.shmoo.com/mailman/listinfo/logana> lysis
    > 
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Dec 06 2002 - 10:37:46 PST