Re: [logs] Syslog payload format

From: Darren Reed (avalonat_private)
Date: Mon Dec 30 2002 - 21:34:45 PST

  • Next message: Michael Ray: "Re: [logs] Tamper Proof Logging"

    In some mail from Fulton L. Preston Jr., sie said:
    > 
    > Hello, long time listener, first time caller:
    > 
    > Here is what I would like to see in *my* logs as a "sysadmin-weenie*:
    > 
    > I want to know *EVERY* command sent to my daemons (POP,SMTP,FTP,etc..) so I
    > can trace back problems (or hack attempts using log analyzing software or
    > NIDS/HIDS)  My biggest frustration with most software is the *lack* of
    > logging of what happens during remote communications while a remote client
    > is connected.  Most commonly what I see is an entry of "connect from" and
    > that is about it.  Even with 'compile' options most logging is dismal at
    > best.  I would like to see date/time stamps, each and every command issued,
    > including buffer overflow attempts (at least log the "complete" string
    > unless the app itself overflowed, god help us.)  My goal is for the program,
    > or syslog, to log everything that happens to it for later analysis.
    [...]
    
    It occurred to me whilst out walking that there's a fundamental problem
    here with us saying what we *want* to log and that is we have almost NO
    control over what gets logged.  We can influence the how it gets logged
    by plugging in a different API for syslog(3) and providing a new one but
    I don't see it being easily within reach for influencing application
    programmers.  MAYBE you could get some notice if an RFC was written up
    as a BCP (Best Current Practise) on what's considered to be loging in
    a useful manner and how much needs to be done for it to be useful.  Also,
    what sort of applications should and should different classes of apps
    provide log information differently, depending on xyz ?
    
    Back to what you were saying.  You want the app. to log everything that
    happens to it.  Can you explain to me in simple terms what "everything
    that happens to it" means ?
    
    We can only log what the application programmers want to log unless we
    are going to do something like ptrace/ktrace/strace the entire app. every
    time it runs and analyse that as part of the log information.
    
    It sounds to me like you want to run all your applications in what would
    be commonly called a "debug mode".
    
    Just out of curiosity, do you use sendmail and if so, do you make any
    changes to the sendmail.cf for the purpose of more verbose logging ?
    Does anyone else who uses sendmail (it's ok, you can admit to it, heck
    I even *like* sendmail.cf >:-) make any changes to its standard log
    level ?  That's the sendmail log level, not mail.foo in syslog.conf.
    
    Darren
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 22:24:55 PST