RE: [logs] RE: syslog/tcp (selp)

From: Jørgen Hoffmeister (jorgenat_private)
Date: Fri Jan 10 2003 - 16:27:28 PST

  • Next message: Darren Reed: "Re: [logs] RE: syslog/tcp (selp)"

    To All in this thread,
    I have been folowing this thread for a couple og days, i agree that we
    have to have an extended form of logging.
    I have been working with the PIX Firewall for the last 5 years and had
    some old logs. I found some logs for the PIX version 4.4 and for the 5.2
    and all of the log has a LF in the end.
    There have been made some new enhancements for the logging function in
    the pix.
    The newer versions of the Cisco PIX Software 6.2.2 (115) and UP, the
    next release will be 6.3 in March 2003.
    The enhancement is an Device-id for logging purpose, like the one for
    the new syslog format. It will add the
    hostname or ip address or a text string between the PRI and the Message
    fields when not using the timestamp or between the timestamp and the
    Message when using the timestamp.
    Old style
    pri time message   <165>Jan 11 2003 00:59:52 %PIX-5-111008: User
    New style
    pri time name message   <165>Jan 11 2003 00:59:52 name : %PIX-5-111008:
    User 'Enable.......
    Jorgen Hoffmeister
    Future Graphics
    E-Mail .: jhat_private
    -----Original Message-----
    From: loganalysis-adminat_private
    [mailto:loganalysis-adminat_private] On Behalf Of Smith, John
    Sent: 10. januar 2003 21:06
    To: loganalysisat_private
    Cc: 'Andrew Ross'
    Subject: RE: [logs] RE: syslog/tcp (selp) 
            Got access to a version 5 PIX and it does place a single LF at
    the end of the message, at least on a UDP packet.
            End of a syslog packet (using Snort): 
            2F 32 34 35 36 38 0A      /24568. 
    -----Original Message----- 
    From: Andrew Ross [mailto:andrewat_private] 
    Sent: Friday, January 10, 2003 2:42 AM 
    To: 'Kyle R. Hofmann' 
    Cc: 'Rainer Gerhards'; 'Balazs Scheidler'; loganalysisat_private;
    'Mikael Olsson'; avalonat_private 
    Subject: RE: [logs] RE: syslog/tcp (selp) 
    The more I think about it, the idea of binary data and non ASCII chr 
    sets should be left for the BEEP or syslog reliable implementations. The
    SELP protocol should be a very simple change and not allow for non ASCII
    chrs or binary. Therefore we can just stick with a delimiter and not 
    worry about a length chunk. It also means I don't have to code for non 
    ASCII chr sets just yet :-) 
    On the topic of delimiters. We discovered today that the PIX actually 
    sends a single LF at the end of its messages. It does this for both UDP 
    and TCP messages. I'm using version 6.2(1) of the PIX IOS. From memory, 
    earlier versions of the IOS didn't delimit the data. (Version 4 and 5). 
    Does anyone have access to old software to confirm this? 
    We have been discussing the delimiter recently as being CRLF. Can I 
    throw the cat amongst the pigeons and suggest we make it just LF? LF is 
    the Unix standard delimiter for files and streams. CRLF is more of a 
    Windows convention. 
    Would it not be easier (and more code efficient) to search for just LF? 
    Someone mentioned that CRLF is the Internet standard, can someone point 
    me to a URL that defines this? I always thought the Internet was more 
    Unix driven than Windows. 
    On Fri, 10 Jan 2003 13:35:42 +1300, "Andrew Ross" wrote: 
    > As another idea, if we started the message with a known header 
    > it would make it instantly recognisable as particular protocol. 
    Unfortunately a classical syslog daemon won't like it.  It'll assume the
    default facility and priority for that message--"user" and "notice"--and
    proceed to put it wherever such messages go instead of where this 
    should go. 
    In a way this isn't really a problem, because a new syslog daemon has to
    changed to use TCP and to send CRLFs at the end of messages; but in 
    sense it is, because we're trying to make it easy for implementors to 
    their old syslog daemons to this protocol, and the more requirements we 
    on them, the more reluctant they'll be.  If this is to get any 
    outside of the loganalysis list, then we have to make it *very* *very* 
    easy to implement. 
    TCP and CRLFs are the minimum to have a working protocol.  I think we 
    punt on the other issues, discuss them in "Security Concerns", and 
    syslog-reliable for serious work. 
    Kyle R. Hofmann <krhat_private> 
    LogAnalysis mailing list 
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 16:34:43 PST