Re: periodic security run output gives false positives after 1 year



On 17.02.2012 20:48, Roger Marquis wrote:
and difficult to change without breaking more than it fixes. The current
syslog syntax timestamp has been reliable now for what, 25+ years? I
don't personally see any measurable ROI from changing it. YMMV of
course.

I really understand the concern, but some requirements do change over
time. Staying at the lowest common denominator for 25+ years may
indicate robustness, but it may also indicate obsolence.

I would like to ask a different question: what is our target? What kind
of logging infrastructure should a current operating system provide? And
how can we move forward toward that?

YMMV, but for me this target includes ISO timestamps, TLS network
transport, UTF-8 support, and more structured messages.
The IETF protocols are part of the solution, traditional BSD Syslog is
not enough.


A few more thoughts for the discussion:
- with ISO dates it is easy to pipe logs through a timestamp-rewriting
perl script for older analysis tools. And some tools already support ISO
dates (for example the latest version of pflogsumm).

- similar compatibility questions arise with UTF-8 data in logs.
syslogd(8) writes ASCII-only logs to ensure wide compatibility.

- some admins (including myself) already moved to syslog-ng for these
two reasons: TLS transport and ISO timestamps.

- regarding timestamps: I guess everyone with a long-term log archive
already has some year/month scheme, so IMHO the year is only a nice
bonus rather than a big feature. -- Bigger benefits are sub-second
resolution and timezone information (because with daylight saving time
even a standalone system spans two timezones).

- in principle the NetBSD-current syslogd(8) even supports a per-target
configuration of old/new log format. But iirc this is not enabled,
because such a flag would add more clutter to the syslog.conf(5) syntax.

--
Martin Schütte
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • How to get syslog to log in GMT or any other time zone
    ... I was slightly surprised to see the timestamps in syslog as follows ... Fixing logs to use GMT would be ideal. ...
    (alt.linux)
  • Re: Is there a way to create kernel log messages via Python?
    ... uses the syslog module to inject a LOG_INFO message into the syslog on ... Then I parse everything between the start and stop markers for certain ... items that the Linux kernel logs during a suspend and resume cycle. ... I can't just use syslog timestamps. ...
    (comp.lang.python)
  • Re: Is there a way to create kernel log messages via Python?
    ... uses the syslog module to inject a LOG_INFO message into the syslog on ... items that the Linux kernel logs during a suspend and resume cycle. ... I can't just use syslog timestamps. ... what I REALLY want is to inject my start/stop markers into klogd ...
    (comp.lang.python)
  • Re: Is there a way to create kernel log messages via Python?
    ... uses the syslog module to inject a LOG_INFO message into the syslog on ... Then I parse everything between the start and stop markers for certain ... items that the Linux kernel logs during a suspend and resume cycle. ... I can't just use syslog timestamps. ...
    (comp.lang.python)
  • Is there a way to create kernel log messages via Python?
    ... uses the syslog module to inject a LOG_INFO message into the syslog on ... Then I parse everything between the start and stop markers for certain ... items that the Linux kernel logs during a suspend and resume cycle. ... I can't just use syslog timestamps. ...
    (comp.lang.python)