[logs] idea: let's scare ourselves...

From: Marcus J. Ranum (mjr@private)
Date: Fri Aug 06 2004 - 22:47:36 PDT

	I just had an evil idea!!

	As I was revising the notes/slides for my syslog tutorial for
SANS and USENIX, I got to the slide about my old results from
a few years ago, that showed UDP syslog loses a huge percentage
of messages as the load increases - and it gave me an idea. ;)

	What if when each syslogd starts up, it generates a nonce
using, say, a CRC of time, pid, and log file inode #  - it need not be
cryptographically strong - and logs a message every whenever with
${timestamp} syslogd: host nonce sequence-number

	The nonce would be a hex representation of the CRC, and
the "sequence number" is the number of messages that have been
received and recorded or forwarded by that particular syslogd. Whenever
the nonce changes, the count gets reset. The sender can reset the
nonce whenever it wants to, if it's bored or whatever.

	This isn't an attempt to introduce reliability into syslog; it's
more of an attempt to measure how unreliable it is. If you saw the
count mismatch on the high side, you know you've just had someone
inject a bunch of bogus messages into your log stream. More likely
(based on my measures) what you'd see is that the count was way off 
on the low side. A particular machine sent 40000 log messages to
its server; and its server saw 5000 of them. The server could track
the counts/nonces from each of the hosts sending it logs, and could
make some interesting statistics about how crappy syslogs are!

	Comments? [And, No; I don't believe in RFCs so let's not
even GO that route. If you want to know why, read the preamble
for RFC 3164]


LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Mon Aug 09 2004 - 12:54:53 PDT