RE: [logs] Syslog payload format

From: Rainer Gerhards (rgerhardsat_private)
Date: Fri Jan 03 2003 - 09:33:31 PST

  • Next message: Rainer Gerhards: "RE: [logs] Syslog payload format"

    > > I strongly believe we should - at least in the beginning - provide a
    > > syslog(3) replacement that just does as I have written above. So a 
    > > simple re-link is necessary. Maybe we can even get this into glibc 
    > > over time... With a minimalistic replacement, there should 
    > not be much 
    > > memory or other footprint be added to the existing apps. And the 
    > > replacement could also check an environment variable (or 
    > /etc file or 
    > > whatever) to dynamically determine if it should apply the wrapper 
    > > formatting or true old-style format.
    > From a forensics standpoint, dynamic variable formatting is a 
    > bad idea.  
    > You really want strictly defined behaviour.  It's better to 
    > hook old style 
    > logging into a new thing, and identify it than to choose 
    > which mechanism 
    > on the fly.
    Mmmhhh... I see your point. What I am concerned with is backward
    compatibility. If we emit ONLY the new format, we definitely break
    existing scripts. Thus, it becomes much harder for application
    developers to choose our replacement (and it will be even harder to get
    it into something like glibc, at least I guess...). So I think it is a
    "must have" to provide the ability to use either format and leave the
    choice to the admin.
    For the forensic standpoint, wouldn't it be acceptable if a procedure is
    defined for a given site which format MUST be used? I mean an admin
    practice, written down with seal and all the nice things that you might
    need? I don't know enough about forenciscs to see if this is a really
    dumb idea, but I am sure you can shed light on this ;)
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:50 PST