You wrote:
> What I'm missing the most in your API is the semantics: as long as the
> "label" ist still a free form text I don't see much of an improvement
> over the current situation. My goal for a syslog replacement/renovation
> is to get "meaning" into the logs; formatting for storage or display is
> a secondary issue as long as the information is there in any parseable
> format.
Hi
The proposal is an attempt to get something of a least common denominator
between the API I have implemented (rather larger), what Marcus has
been proposing and what Balazs is planning to implement. I still think
that this would be useful.
I have my own ideas about semantics: I think there are
three levels of logging
1 The easy stuff common to everything. Time, id, etc.
2 The domain of the application programmer. If somebody
is coding an httpd, let them log urls, status codes, etc.
With a bit of luck this can be standardised for popular
application types, eg the common log format for HTTP servers.
3 A higher level abstraction, or rather several. This is
what Tina is always reminding us to focus on and what the Marcus
and Pauls Logging Data Map seeks to describe. The data map
is useful.
However, my personal opinion is that constructing an automated analysis
component working on a full semantics is going to be AI-hard.
So my approach is to think of several security abstractions/models
and work with those. If you have a recent version of IDS/A
installed look in /usr/local/include/idsa_schemes.h
Some sample models:
AM - the access control model. A subject does something to
an object. Events defined in terms of that model report
three fields, eg:
.am-1.subject:uid=100 .am-1.action:string="action-read" .am-1.object:file="/etc/passwd"
SSM - the simple service model. An application tries to get
some work done. In doing so it enters several states. This
only involves one field .ssm-1, but its values are defined.
The full list is given in the include file, but samples
are "service-start", "service-fail", "work-start", etc.
.ssm-1:string="service-fail"
If you download linetd (jade.cs.uct.ac.za/linetd/) you can see a subset of that model in action.
There are several other models, some not in that include file.
I apologies for the lack of documentation - with a bit
of luck a paper will be forthcoming. Note that many events
are supposed to report data in several domains/abstractions.
The .something.something is actually starting to look like SNMP,
though with an IMHO saner transport. The idea is to make the "."
akin to the root (/) indicating a global namespace, while the other
fields are local, analogous to files in the current working directory,
where the current working directory is indicated with the scheme
field. Technically the fields in [1] should also start with a "."
regards
marc
PS: Sorry for the out of sequence mail. I am currently on dialup.
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:48:46 PST