RE: [logs] idea: let's scare ourselves...

From: Rainer Gerhards (rgerhards@private)
Date: Wed Aug 11 2004 - 03:40:53 PDT


Marcus,

I know that you do not believe in RFCs ... but maybe you might at least
consider some of the recent movements. [not intended to be bashing ...
just to make sure me non-native speaker is not misunderstood ;)]

The syslog protocol format is currently being revised. Background
information including that latest draft can be found at

http://www.syslog.cc/ietf/protocol.html

The draft is soon to be in last call, that means it is on its way to a
standard-track RFC. At least some of your points HAVE been included
(like the timestamp, hostname and such). There is a new, layered
approach which enables syslog to travel over a variety of protocols.
Thogh not popular in the IETF, this may mean it can also travel over
non-BEEP TCP IF there is enough voiced demand for this.

The syslog-protocol draft does not offer sequence numbers per se, BUT it
comes with so-called "structured data elements". These are standard
element that allow you to specify your own, well formed (meta)
information. I think that would probably a good fit.

I would also like to ask all those that do not like the way syslog works
to have a look at the IETF working group. NOW is the time to make your
voice heared, because NOW the protocol is under heavy review ... but
only few voices are really heared. Honestly, I think it is not helpful
to say "syslog is bad" and NOT to try to change it. Of course, its
easier ;) Standards take some time, but the good thing is that without
standards, we  just have either interop-problems or a monopoly...

The syslog-sec IETF WG home page can be found at 

http://www.ietf.org/html.charters/syslog-charter.html

Rainer

> -----Original Message-----
> From: 
> loganalysis-bounces+rgerhards=hq.adiscon.com@private 
> [mailto:loganalysis-bounces+rgerhards=hq.adiscon.com@private
> oo.com] On Behalf Of Marcus J. Ranum
> Sent: Tuesday, August 10, 2004 9:48 PM
> To: Darren Reed
> Cc: loganalysis@private
> Subject: Re: [logs] idea: let's scare ourselves...
> 
> Darren Reed wrote:
> >>       What if when each syslogd starts up, it generates a nonce
> >> using, say, a CRC of time, pid, and log file inode #  - it 
> need not be
> >> cryptographically strong - and logs a message every whenever with
> >> ${timestamp} syslogd: host nonce sequence-number
> >
> >If you're going to modify the text in the message, the consensus
> >from the syslog working group was to append text as there is less
> >likelihood of disrupting existing programs that expect the text
> >to be formatted the way it is today.
> 
> 
> Nope, I was thinking that the syslogd would just periodically
> generate the message itself, from itself, so no tampering
> with other messages would be necessary. A server that
> cared, however, would then be able to measure loss per
> client or restarts per client without requiring any additional
> client smarts.
> 
> Of course 10 seconds after I hit "Send" I realized that the
> flaw in my whole idea was that if you're going to replace
> syslogd to include the feature I was proposing, then you
> could just as easily replace it with a syslogd that didn't
> suck and thereby solve the problem.
> 
> mjr. 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Wed Aug 11 2004 - 12:01:14 PDT