On Fri, 3 Jan 2003, Rainer Gerhards wrote: > > From a forensics standpoint, dynamic variable formatting is a > > bad idea. > > You really want strictly defined behaviour. It's better to > > hook old style > > logging into a new thing, and identify it than to choose > > which mechanism > > on the fly. > > Mmmhhh... I see your point. What I am concerned with is backward > compatibility. If we emit ONLY the new format, we definitely break > existing scripts. Thus, it becomes much harder for application > developers to choose our replacement (and it will be even harder to get > it into something like glibc, at least I guess...). So I think it is a > "must have" to provide the ability to use either format and leave the > choice to the admin. The issue is that dynamicly allocated things can change- so an intruder changing format brings to question the validity of the logged data. That's why I think the "SYSLOG_FORMAT" stuff Marcus proposes is better than a scheme that's either in position a or position b. Make it always in the new position, and handling the backwards compatibility with the new mechanism. Replace the syscall with a new mechanism that just does the right thing with old calls, and does the better thing with new calls- that way there's never a question of who changed the environment, and when? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:54:25 PST