I am sorry Gert - My fault for not explaining more , and I thought it was inherently obvious what it has to do with your filter. What I am looking for a stronger log maintanenece regimen from SyslogNG or the tools around its use. Let me ask "Gert what is the point of collecting logging information anyway?" So that we as a systems admin can prove what went on inside our systems - leaving us as the weak link in the evidentiary chain of custody for events taking place inside the audit envelope around your systems. Also - at least in the states here after the ENRON Debacle - look to auditors to have a much stronger profile in any audit and process walkthrough that we as Systems Admins will have to do for them. That has direct implications on the trustability and systenms that we erect to log our systems activities with. Todd Glassey ----- Original Message ----- From: "Gert Menke" <gert@menke.za.net> To: "todd glassey" <todd.glassey@worldnet.att.net> Cc: <syslog-ng@lists.balabit.hu> Sent: Sunday, January 20, 2002 7:27 AM Subject: Re: [syslog-ng][PATCH] netmask-filter
Hi!
I like it and all that it is missing is Thanks, but I don't see what those things have to do with my patch?
1) A mechansim of proving delivery receipt - i.e. reliable
delivery
of syslog information Hm, using tcp insted of udp could improve things a bit, but not every syslogd supports that.
2) A mechanism of watermarking or timestamping with a reliable
time
abse so that the records can stand up to evidentiary use model reqyuirements. Yes, that could be useful. I heard about a program called multilog a few days ago; IIRC it is able to do such things. (You would need to pipe your syslog data to multilog via destination{program("multilog...");}; or so.) Does anybody on this list know more about this?
BTW: Is it possible to customize the logfile format of syslog-ng? I would like something like: <local timestamp><source ip><host><sender's timestamp><message>
3) A uniform Syslog Event Query Interface (XDAS or DOORS
compliant
would be nice too!). Could you explain that a little more?
Greetings Gert