RE: [logs] Syslog payload format

From: Fulton L. Preston Jr. (fultonat_private)
Date: Mon Dec 30 2002 - 20:23:48 PST

  • Next message: Kohlenberg, Toby: "RE: [logs] Syslog payload format"

    Hello, long time listener, first time caller:
    
    Here is what I would like to see in *my* logs as a "sysadmin-weenie*:
    
    I want to know *EVERY* command sent to my daemons (POP,SMTP,FTP,etc..) so I
    can trace back problems (or hack attempts using log analyzing software or
    NIDS/HIDS)  My biggest frustration with most software is the *lack* of
    logging of what happens during remote communications while a remote client
    is connected.  Most commonly what I see is an entry of "connect from" and
    that is about it.  Even with 'compile' options most logging is dismal at
    best.  I would like to see date/time stamps, each and every command issued,
    including buffer overflow attempts (at least log the "complete" string
    unless the app itself overflowed, god help us.)  My goal is for the program,
    or syslog, to log everything that happens to it for later analysis.
    
    Though the answer would be "install a NIDS or HIDS", I've done that but find
    I still need to use the syslog/logs data to extract "pre-attack" data.  This
    "pre-attack" data has been most usefull in pursuing attempted hacks and
    armed with the 'pre-attack' data plus the 'post-attack' data that we get our
    highest level of prosecutions.
    
    My two cents.
    Regards,
    Fulton Preston
    
    
    
    
    
    
    -----Original Message-----
    From: loganalysis-adminat_private
    [mailto:loganalysis-adminat_private] On Behalf Of Tina Bird
    Sent: Monday, December 30, 2002 21:12
    To: Marcus J. Ranum
    Cc: Balazs Scheidler; Darren Reed; loganalysisat_private
    Subject: Re: [logs] Syslog payload format
    
    
    And (reiterates the moderator, who's getting tired of slogging this dead
    horse)...
    
    I still maintain that it's pointless to worry about how to format the
    messages or transport the messages until you've got at least >some<
    guidance about what kinds of information (or events) ought to be recorded
    in the first place!
    
    So, never mind what actually shows up in your operating system and
    application logs.  What's the information that you log-weenies and
    sys-admin-weenies actually >>use<< to keep things up and running?  Or what
    would you use if it was there?
    
    I keep coming back to apps restarting with a new configuration.  But that
    can't be the only thing we can all think of that we'd like to record.
    
    tbird
    who's just been revising her tutorial notes and being reminded of all the
    questions with no answers, sigh
    
    Never express yourself more clearly than you think.  -- Niels Bohr
    
    http://www.shmoo.com/~tbird
    Log Analysis http://www.loganalysis.org
    VPN http://vpn.shmoo.com
    
    On Mon, 30 Dec 2002, Marcus J. Ranum wrote:
    
    > Balazs Scheidler wrote:
    > >xnewsyslog(LOG_DAEMON | LOG_INFO,
    > >           "User logged in",
    > >           "%(user)s %(tty)s %(host)s",
    > >           "marcus", "ttyp6", host);
    >
    > This is horrible. You're basically doing the same thing as
    > "old" syslog: you're sticking arbitrary strings out there with
    > no mark-up regarding their semantics.
    >
    > Right now the assembled log-weenies of the world are fighting
    > a battle (that is about to become hugely expensive) to apply
    > significance (i.e.: semantic value) to log data. Continuing to
    > encourage client-side APIs that are devoid of additional
    > semantic data is not helping anything. We may as well stick
    > with stupid old syslog (but fix the transports) and call it sucky
    > enough.
    >
    > mjr.
    > ---
    > Marcus J. Ranum				http://www.ranum.com
    > Computer and Communications Security	mjrat_private
    >
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private
    > http://lists.shmoo.com/mailman/listinfo/loganalysis
    >
    >
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 22:25:05 PST