<bits and pieces of previous messages deleted for brevity>: On Tue, 31 Dec 2002, Darren Reed wrote: > It occurred to me whilst out walking that there's a fundamental problem > here with us saying what we *want* to log and that is we have almost NO > control over what gets logged. We can influence the how it gets logged > by plugging in a different API for syslog(3) and providing a new one but > I don't see it being easily within reach for influencing application > programmers. MAYBE you could get some notice if an RFC was written up > as a BCP (Best Current Practise) on what's considered to be loging in > a useful manner and how much needs to be done for it to be useful. Also, > what sort of applications should and should different classes of apps > provide log information differently, depending on xyz ? > Well said, Darrin, and part of what I've already been trying to do, without of course having the document written. I've been on a personal crusade every time I run into developers on any of the big open source projects (or at least, Apache, OpenSSL and Snort, at the moment) to try to convince them to modify their code to generate a syslog message when the daemon is restarted with a configuration change. IANAD (I am not a developer) and as usual it's a much more complicated thing than I'd imagined, but since I don't yet have enough content to write that RFC it's the only thing I can think of to do. We've got an awful lot of people on this list who are in positions to be influential. We just need to come to some sort of conclusion about what we want. > It sounds to me like you want to run all your applications in what would > be commonly called a "debug mode". > This sounds like overkill to me in most cases, unless you'd be doing process auditing anyhow. I'm still stuck on things like config changes, restarts, reboots, use of admin privileges, new account creation, that sort of stuff. > Just out of curiosity, do you use sendmail and if so, do you make any > changes to the sendmail.cf for the purpose of more verbose logging ? > Does anyone else who uses sendmail (it's ok, you can admit to it, heck > I even *like* sendmail.cf >:-) make any changes to its standard log > level ? That's the sendmail log level, not mail.foo in syslog.conf. I am not currently using sendmail. But good point. I should pester Eric and company about convincing it to log when its configuration changes. tbird ------------------------------------------------------------------ Never express yourself more clearly than you think. -- Niels Bohr http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Jan 01 2003 - 20:06:17 PST