Re: [logs] idea: let's scare ourselves...

• Previous message: Adrian Grigorof: "Re: [logs] Looking for SYSLOG sort program"
• In reply to: Marcus J. Ranum: "[logs] idea: let's scare ourselves..."
• Next in thread: Bennett Todd: "Re: [logs] idea: let's scare ourselves..."
• Reply: Bennett Todd: "Re: [logs] idea: let's scare ourselves..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

very smart indeed, and very easy to test, i.e. userland perl script
    and log analyzer.

UDP syslog is obviously broken and not reasonable to fix-- this may
    help spread the word and increase demand for solutions like ng.

best wishes,
adam


Marcus J. Ranum wrote:
> 	I just had an evil idea!!
> 
> 	As I was revising the notes/slides for my syslog tutorial for
> SANS and USENIX, I got to the slide about my old results from
> a few years ago, that showed UDP syslog loses a huge percentage
> of messages as the load increases - and it gave me an idea. ;)
> 
> 	What if when each syslogd starts up, it generates a nonce
> using, say, a CRC of time, pid, and log file inode #  - it need not be
> cryptographically strong - and logs a message every whenever with
> ${timestamp} syslogd: host nonce sequence-number
> 
> 	The nonce would be a hex representation of the CRC, and
> the "sequence number" is the number of messages that have been
> received and recorded or forwarded by that particular syslogd. Whenever
> the nonce changes, the count gets reset. The sender can reset the
> nonce whenever it wants to, if it's bored or whatever.
> 
> 	This isn't an attempt to introduce reliability into syslog; it's
> more of an attempt to measure how unreliable it is. If you saw the
> count mismatch on the high side, you know you've just had someone
> inject a bunch of bogus messages into your log stream. More likely
> (based on my measures) what you'd see is that the count was way off 
> on the low side. A particular machine sent 40000 log messages to
> its server; and its server saw 5000 of them. The server could track
> the counts/nonces from each of the hosts sending it logs, and could
> make some interesting statistics about how crappy syslogs are!
> 
> 	Comments? [And, No; I don't believe in RFCs so let's not
> even GO that route. If you want to know why, read the preamble
> for RFC 3164]
> 
> mjr.
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
> 

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Adrian Grigorof: "Re: [logs] Looking for SYSLOG sort program"
• In reply to: Marcus J. Ranum: "[logs] idea: let's scare ourselves..."
• Next in thread: Bennett Todd: "Re: [logs] idea: let's scare ourselves..."
• Reply: Bennett Todd: "Re: [logs] idea: let's scare ourselves..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Aug 09 2004 - 13:08:36 PDT