very smart indeed, and very easy to test, i.e. userland perl script and log analyzer. UDP syslog is obviously broken and not reasonable to fix-- this may help spread the word and increase demand for solutions like ng. best wishes, adam Marcus J. Ranum wrote: > I just had an evil idea!! > > As I was revising the notes/slides for my syslog tutorial for > SANS and USENIX, I got to the slide about my old results from > a few years ago, that showed UDP syslog loses a huge percentage > of messages as the load increases - and it gave me an idea. ;) > > What if when each syslogd starts up, it generates a nonce > using, say, a CRC of time, pid, and log file inode # - it need not be > cryptographically strong - and logs a message every whenever with > ${timestamp} syslogd: host nonce sequence-number > > The nonce would be a hex representation of the CRC, and > the "sequence number" is the number of messages that have been > received and recorded or forwarded by that particular syslogd. Whenever > the nonce changes, the count gets reset. The sender can reset the > nonce whenever it wants to, if it's bored or whatever. > > This isn't an attempt to introduce reliability into syslog; it's > more of an attempt to measure how unreliable it is. If you saw the > count mismatch on the high side, you know you've just had someone > inject a bunch of bogus messages into your log stream. More likely > (based on my measures) what you'd see is that the count was way off > on the low side. A particular machine sent 40000 log messages to > its server; and its server saw 5000 of them. The server could track > the counts/nonces from each of the hosts sending it logs, and could > make some interesting statistics about how crappy syslogs are! > > Comments? [And, No; I don't believe in RFCs so let's not > even GO that route. If you want to know why, read the preamble > for RFC 3164] > > mjr. > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Aug 09 2004 - 13:08:36 PDT