Hello, long time listener, first time caller: Here is what I would like to see in *my* logs as a "sysadmin-weenie*: I want to know *EVERY* command sent to my daemons (POP,SMTP,FTP,etc..) so I can trace back problems (or hack attempts using log analyzing software or NIDS/HIDS) My biggest frustration with most software is the *lack* of logging of what happens during remote communications while a remote client is connected. Most commonly what I see is an entry of "connect from" and that is about it. Even with 'compile' options most logging is dismal at best. I would like to see date/time stamps, each and every command issued, including buffer overflow attempts (at least log the "complete" string unless the app itself overflowed, god help us.) My goal is for the program, or syslog, to log everything that happens to it for later analysis. Though the answer would be "install a NIDS or HIDS", I've done that but find I still need to use the syslog/logs data to extract "pre-attack" data. This "pre-attack" data has been most usefull in pursuing attempted hacks and armed with the 'pre-attack' data plus the 'post-attack' data that we get our highest level of prosecutions. My two cents. Regards, Fulton Preston -----Original Message----- From: loganalysis-adminat_private [mailto:loganalysis-adminat_private] On Behalf Of Tina Bird Sent: Monday, December 30, 2002 21:12 To: Marcus J. Ranum Cc: Balazs Scheidler; Darren Reed; loganalysisat_private Subject: Re: [logs] Syslog payload format And (reiterates the moderator, who's getting tired of slogging this dead horse)... I still maintain that it's pointless to worry about how to format the messages or transport the messages until you've got at least >some< guidance about what kinds of information (or events) ought to be recorded in the first place! So, never mind what actually shows up in your operating system and application logs. What's the information that you log-weenies and sys-admin-weenies actually >>use<< to keep things up and running? Or what would you use if it was there? I keep coming back to apps restarting with a new configuration. But that can't be the only thing we can all think of that we'd like to record. tbird who's just been revising her tutorial notes and being reminded of all the questions with no answers, sigh Never express yourself more clearly than you think. -- Niels Bohr http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com On Mon, 30 Dec 2002, Marcus J. Ranum wrote: > Balazs Scheidler wrote: > >xnewsyslog(LOG_DAEMON | LOG_INFO, > > "User logged in", > > "%(user)s %(tty)s %(host)s", > > "marcus", "ttyp6", host); > > This is horrible. You're basically doing the same thing as > "old" syslog: you're sticking arbitrary strings out there with > no mark-up regarding their semantics. > > Right now the assembled log-weenies of the world are fighting > a battle (that is about to become hugely expensive) to apply > significance (i.e.: semantic value) to log data. Continuing to > encourage client-side APIs that are devoid of additional > semantic data is not helping anything. We may as well stick > with stupid old syslog (but fix the transports) and call it sucky > enough. > > mjr. > --- > Marcus J. Ranum http://www.ranum.com > Computer and Communications Security mjrat_private > > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis > > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 22:25:05 PST