In some mail from Fulton L. Preston Jr., sie said: > > Hello, long time listener, first time caller: > > Here is what I would like to see in *my* logs as a "sysadmin-weenie*: > > I want to know *EVERY* command sent to my daemons (POP,SMTP,FTP,etc..) so I > can trace back problems (or hack attempts using log analyzing software or > NIDS/HIDS) My biggest frustration with most software is the *lack* of > logging of what happens during remote communications while a remote client > is connected. Most commonly what I see is an entry of "connect from" and > that is about it. Even with 'compile' options most logging is dismal at > best. I would like to see date/time stamps, each and every command issued, > including buffer overflow attempts (at least log the "complete" string > unless the app itself overflowed, god help us.) My goal is for the program, > or syslog, to log everything that happens to it for later analysis. [...] It occurred to me whilst out walking that there's a fundamental problem here with us saying what we *want* to log and that is we have almost NO control over what gets logged. We can influence the how it gets logged by plugging in a different API for syslog(3) and providing a new one but I don't see it being easily within reach for influencing application programmers. MAYBE you could get some notice if an RFC was written up as a BCP (Best Current Practise) on what's considered to be loging in a useful manner and how much needs to be done for it to be useful. Also, what sort of applications should and should different classes of apps provide log information differently, depending on xyz ? Back to what you were saying. You want the app. to log everything that happens to it. Can you explain to me in simple terms what "everything that happens to it" means ? We can only log what the application programmers want to log unless we are going to do something like ptrace/ktrace/strace the entire app. every time it runs and analyse that as part of the log information. It sounds to me like you want to run all your applications in what would be commonly called a "debug mode". Just out of curiosity, do you use sendmail and if so, do you make any changes to the sendmail.cf for the purpose of more verbose logging ? Does anyone else who uses sendmail (it's ok, you can admit to it, heck I even *like* sendmail.cf >:-) make any changes to its standard log level ? That's the sendmail log level, not mail.foo in syslog.conf. Darren _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 22:24:55 PST