-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Devdas Bhagat writes: [...] >Top N blocked spam sending systems (by IP, by domain and by ip whois). > -- Useful for judging how good/bad a DNSBL is with respect to > your requirements >Top N servers handling the mail load. > -- Ideally, this should be equally well distributed. >Top N ports being probed. > -- New attacks? [deletia] The interesting thing I get out of reading the report ideas people have posted to this list is this: syslog really has no mechanism by which such information may be unambiguously conveyed. Certainly we can use swatch(1) or its moral equivalent to fling logs through a regex(3) sieve, but these general classes of events cannot be identified with the concision (or portability) that, say, the service or severity can. I've actually made this observation (and the related suggestion: syslog(3) should really have better expressive power), but haven't really seen much discussion about this sort of thing (including in the discussion of the new IETF draft). Am I just nuts (about this, I mean)? One of the things that sucks about vanilla syslog is the transport. There is, however, vo-friggin-luminous discussion of this end of the problem. The larger problem, to my mind anyway, is the ability to unimbiguously evaluate what a line from syslog means (or, more properly, what it is intended to represent). My (perhaps naive) thought is that a better-enunciated diction would be solve a big whollop of this problem. I.e., having an application report, via syslog, the equivalent of `application foo (with PID bar) on machine baz has reported a failed authentication attempt' (think something like `syslog(LOG_NOTICE, LOG_AUTH, AUTH_FAIL, "[This space intentionally \ left blank");' ), rather than attempting to convey this information entirely in the human-readable portion of the log[0]. Granted, an individual application could create a set of tokens for this purpose, assuming a parsing widget at the far end with the same lexicon. But what I'm talking about is a general and (insofar as a new rev of syslog would be) universal diction. - -spb - ----- 0 Only a strawman example, obviously. The actual form of such a diction is beyond the scope of this message, although I'd be delighted to discuss the idea in greater (and even tiresome) depth. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (OpenBSD) iD8DBQFBJFg5G3kIaxeRZl8RAiqJAJ4gQOuQre8XLeW1ARo78Zn2QrULRgCg9c+B x0YCfcgA3yhe4mx5tgQ7bd4= =q0c0 -----END PGP SIGNATURE----- _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 09:52:54 PDT