Hi Tom -- Wow, that was a great summary of the legal discussion from two weeks ago. But that's still not precisely what I'm after. You've described what qualities the information must have in order to be "credible" for a legal purpose. But I'm not even that far along. What I'm trying to assemble is a list of the events on an individual host/operating system, or an application, or across a network, that are the most important for keeping things running smoothly. Or, the events that define "normal behavior" for a host, an application or a network. (They might not be the same lists.) Sometimes I think I must be missing something really obvious. I don't understand how to discuss a reasonable format for messages if I don't have >some< idea of what sorts of information (values) and events I want those messages to describe! Back in the mists of time we'd assembled the start of a list of important events (which at the time I introduced as "state changes" which launched us into another couple of unrelated tangents). I have a start of a list of "events that define normal" based on responses from students over the years. I am >not< at this point interested in: -- how to encapsulate the event data -- how to transport the event data -- how to convince someone non-technical that the event data are valid -- a 100% complete list -- I am perfectly aware of the high likelihood that individual hosts/applications/networks will have individual quirks that will cause them to deviate from my list. -- how to quantify the events -- whether or not a particular OS or application actually >logs< the event But what are the events we want the logs to contain? *sigh* tbird Never express yourself more clearly than you think. -- Niels Bohr http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 22:25:52 PST