Re: [logs] idea: let's scare ourselves...

From: Chris Calabrese (chris_calabrese@private)
Date: Tue Aug 10 2004 - 21:37:18 PDT 

That's one of that things that the IETF's Syslog Reliable is supposed
to do (though with cryptographically strong signatures). Too bad it got
saddled with so much Beep overhead.


--- "Marcus J. Ranum" <mjr@private> wrote:

> 	I just had an evil idea!!
> 
> 	As I was revising the notes/slides for my syslog tutorial for
> SANS and USENIX, I got to the slide about my old results from
> a few years ago, that showed UDP syslog loses a huge percentage
> of messages as the load increases - and it gave me an idea. ;)
> 
> 	What if when each syslogd starts up, it generates a nonce
> using, say, a CRC of time, pid, and log file inode #  - it need not
> be
> cryptographically strong - and logs a message every whenever with
> ${timestamp} syslogd: host nonce sequence-number
> 
> 	The nonce would be a hex representation of the CRC, and
> the "sequence number" is the number of messages that have been
> received and recorded or forwarded by that particular syslogd.
> Whenever
> the nonce changes, the count gets reset. The sender can reset the
> nonce whenever it wants to, if it's bored or whatever.
> 
> 	This isn't an attempt to introduce reliability into syslog; it's
> more of an attempt to measure how unreliable it is. If you saw the
> count mismatch on the high side, you know you've just had someone
> inject a bunch of bogus messages into your log stream. More likely
> (based on my measures) what you'd see is that the count was way off 
> on the low side. A particular machine sent 40000 log messages to
> its server; and its server saw 5000 of them. The server could track
> the counts/nonces from each of the hosts sending it logs, and could
> make some interesting statistics about how crappy syslogs are!
> 
> 	Comments? [And, No; I don't believe in RFCs so let's not
> even GO that route. If you want to know why, read the preamble
> for RFC 3164]
> 
> mjr.
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

This archive was generated by hypermail 2.1.3 : Wed Aug 11 2004 - 11:58:42 PDT