:) Well put. So, just off the top of my head, I'm generally interested in all sorts of things: From the application perspective: startup information (who it's running as, what configuration file it is using, ports bound to, activity information (what it is doing and for whom, the request it recieved that caused it to do something, how it got the request (command line? network?), what the actual request was (if it applies)... shutdown information (how it was shutdown, what if anything that was left unfinished when it shutdown, why it shutdown) from the OS perspective: all the typical accounting information plus: who a process ran as, who started it, how long it ran, what files it interacted with (and what it did/tried to do to each of them), what networking things it did (ports it used, addresses it used, amount of traffic sent/received). Also, I want to be able to kick up the level of granularity as needed (ideally maybe automatically if certain events are seen) and go from a list of files a process touched/tried to touch, to what it did to them, to the actual system calls made..... This is completely off the top of my head so I make no claims to it being complete, accurate, logical, understandable or anything like that. ;) That said, is this more in line with what you were looking for? toby > -----Original Message----- > From: Tina Bird [mailto:tbird@precision-guesswork.com] > Sent: Monday, December 30, 2002 8:08 PM > To: tcleary2at_private > Cc: loganalysisat_private > Subject: Re: [logs] Syslog payload format > > > Hi Tom -- > > Wow, that was a great summary of the legal discussion from > two weeks ago. > But that's still not precisely what I'm after. > > You've described what qualities the information must have in > order to be > "credible" for a legal purpose. But I'm not even that far along. > > What I'm trying to assemble is a list of the events on an individual > host/operating system, or an application, or across a > network, that are > the most important for keeping things running smoothly. Or, > the events > that define "normal behavior" for a host, an application or a network. > (They might not be the same lists.) > > Sometimes I think I must be missing something really obvious. I don't > understand how to discuss a reasonable format for messages if > I don't have > >some< idea of what sorts of information (values) and events > I want those > messages to describe! > > Back in the mists of time we'd assembled the start of a list > of important > events (which at the time I introduced as "state changes" > which launched > us into another couple of unrelated tangents). I have a > start of a list > of "events that define normal" based on responses from > students over the > years. > > I am >not< at this point interested in: > > -- how to encapsulate the event data > -- how to transport the event data > -- how to convince someone non-technical that the event data are valid > -- a 100% complete list -- I am perfectly aware of the high likelihood > that individual hosts/applications/networks will have > individual quirks > that will cause them to deviate from my list. > -- how to quantify the events > -- whether or not a particular OS or application actually > >logs< the event > > But what are the events we want the logs to contain? > > *sigh* tbird > > Never express yourself more clearly than you think. -- Niels Bohr > > http://www.shmoo.com/~tbird > Log Analysis http://www.loganalysis.org > VPN http://vpn.shmoo.com > > > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 22:25:13 PST