> > I strongly believe we should - at least in the beginning - provide a > > syslog(3) replacement that just does as I have written above. So a > > simple re-link is necessary. Maybe we can even get this into glibc > > over time... With a minimalistic replacement, there should > not be much > > memory or other footprint be added to the existing apps. And the > > replacement could also check an environment variable (or > /etc file or > > whatever) to dynamically determine if it should apply the wrapper > > formatting or true old-style format. > > From a forensics standpoint, dynamic variable formatting is a > bad idea. > You really want strictly defined behaviour. It's better to > hook old style > logging into a new thing, and identify it than to choose > which mechanism > on the fly. Mmmhhh... I see your point. What I am concerned with is backward compatibility. If we emit ONLY the new format, we definitely break existing scripts. Thus, it becomes much harder for application developers to choose our replacement (and it will be even harder to get it into something like glibc, at least I guess...). So I think it is a "must have" to provide the ability to use either format and leave the choice to the admin. For the forensic standpoint, wouldn't it be acceptable if a procedure is defined for a given site which format MUST be used? I mean an admin practice, written down with seal and all the nice things that you might need? I don't know enough about forenciscs to see if this is a really dumb idea, but I am sure you can shed light on this ;) Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:50 PST