RE: [logs] Syslog payload format

From: Paul Robertson (probertsat_private)
Date: Fri Jan 03 2003 - 10:40:17 PST

  • Next message: Mikael Olsson: "Re: [logs] Syslog payload format"

    On Fri, 3 Jan 2003, Rainer Gerhards wrote:
    > > From a forensics standpoint, dynamic variable formatting is a 
    > > bad idea.  
    > > You really want strictly defined behaviour.  It's better to 
    > > hook old style 
    > > logging into a new thing, and identify it than to choose 
    > > which mechanism 
    > > on the fly.
    > Mmmhhh... I see your point. What I am concerned with is backward
    > compatibility. If we emit ONLY the new format, we definitely break
    > existing scripts. Thus, it becomes much harder for application
    > developers to choose our replacement (and it will be even harder to get
    > it into something like glibc, at least I guess...). So I think it is a
    > "must have" to provide the ability to use either format and leave the
    > choice to the admin.
    The issue is that dynamicly allocated things can change- so an intruder 
    changing format brings to question the validity of the logged data.  
    That's why I think the "SYSLOG_FORMAT" stuff Marcus proposes is better 
    than a scheme that's either in position a or position b.  Make it always 
    in the new position, and handling the backwards compatibility with the new 
    Replace the syscall with a new mechanism that just does the right thing 
    with old calls, and does the better thing with new calls- that way there's 
    never a question of who changed the environment, and when?
    Paul D. Robertson      "My statements in this message are personal opinions
    probertsat_private      which may have no basis whatsoever in fact."
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:54:25 PST