Dixit Gregor Binder <gbinder@sysfive.com> (le Thu, 11 Jan 2001 17:05:03 +0100) : » > Nevertheless, I'm not sure that is really what you (and I) want. In my » > example, it creates files with the *dates of the syslog messages* what » > is different from the date of the day they are received. In my case, » > it seems I have syslog clients with unsynchronized clocks and I » > already have messages-20010704 for example (4th july 2001 !). » » I have requested the feature to change this behaviour some time ago, and » Balasz made it come true shortly after, it's an option. use_time_recvd() » boolean. It is not yet documented... But the source of course mention it. Thierry
I suggest that the Syslog NG server also might want to have a capability of getting NTP Data directly from one of the locally defined NTP Servers. This capability, if Dr. Mills AutoKEY or some other X509 signing services we added to it, would allow Syslog to actually be a timestamp server and timestamp the overall repository of all OS and other client log data on a system. This is a grand-slam in securing the overall context of the audit process itself. Another concept that deserves some airing in this Forum is that currently all of us as SysAdmins are legally culpable for the data that traverses our systems whether we like it or not. This is a problem based in that most all evidentiary models have no method of substantiating themselves. With a computer system right now its the SysAdmins or DBA's that are the weak link in building trustworthy systems - so what's the answer? Audit systems that are tamper-proofed. There is a distinct need in Syslog-NG to build datapoint authentication and maintenance services into Syslog such that it can actually "Testify" as to what it was told by these other systems. This while seemingly an interesting foible is a key concept in building audit systems for ebusienss and other applications. Todd Glassey CTO Boarderless Technologies. ----- Original Message ----- From: "Thierry Besancon" <Thierry.Besancon@prism.uvsq.fr> To: <syslog-ng@lists.balabit.hu> Sent: Friday, January 12, 2001 4:23 AM Subject: Re: [syslog-ng]sync question, feature request Dixit Gregor Binder <gbinder@sysfive.com> (le Thu, 11 Jan 2001 17:05:03 +0100) : » > Nevertheless, I'm not sure that is really what you (and I) want. In my » > example, it creates files with the *dates of the syslog messages* what » > is different from the date of the day they are received. In my case, » > it seems I have syslog clients with unsynchronized clocks and I » > already have messages-20010704 for example (4th july 2001 !). » » I have requested the feature to change this behaviour some time ago, and » Balasz made it come true shortly after, it's an option. use_time_recvd() » boolean. It is not yet documented... But the source of course mention it. Thierry _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
hello, I have to ask, what is wrong with running an ntp client on your syslog-ng machine? would this not achieve the same result as you want, or is there some other reason for it? Jason Edgecombe todd glassey wrote:
I suggest that the Syslog NG server also might want to have a capability of getting NTP Data directly from one of the locally defined NTP Servers. This capability, if Dr. Mills AutoKEY or some other X509 signing services we added to it, would allow Syslog to actually be a timestamp server and timestamp the overall repository of all OS and other client log data on a system. This is a grand-slam in securing the overall context of the audit process itself.
Another concept that deserves some airing in this Forum is that currently all of us as SysAdmins are legally culpable for the data that traverses our systems whether we like it or not. This is a problem based in that most all evidentiary models have no method of substantiating themselves. With a computer system right now its the SysAdmins or DBA's that are the weak link in building trustworthy systems - so what's the answer?
Audit systems that are tamper-proofed. There is a distinct need in Syslog-NG to build datapoint authentication and maintenance services into Syslog such that it can actually "Testify" as to what it was told by these other systems. This while seemingly an interesting foible is a key concept in building audit systems for ebusienss and other applications.
Todd Glassey CTO Boarderless Technologies.
----- Original Message ----- From: "Thierry Besancon" <Thierry.Besancon@prism.uvsq.fr> To: <syslog-ng@lists.balabit.hu> Sent: Friday, January 12, 2001 4:23 AM Subject: Re: [syslog-ng]sync question, feature request
Dixit Gregor Binder <gbinder@sysfive.com> (le Thu, 11 Jan 2001 17:05:03 +0100) :
» > Nevertheless, I'm not sure that is really what you (and I) want. In my » > example, it creates files with the *dates of the syslog messages* what » > is different from the date of the day they are received. In my case, » > it seems I have syslog clients with unsynchronized clocks and I » > already have messages-20010704 for example (4th july 2001 !). » » I have requested the feature to change this behaviour some time ago, and » Balasz made it come true shortly after, it's an option. use_time_recvd() » boolean.
It is not yet documented... But the source of course mention it.
Thierry
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
Jason - let me just answer your question here. "What is the problem with running NTP on the hosting system as a separate process from the Logger?" - The answer is that "Yes there is a problem and this is becuase as an evidentiary process, in systems that rely on separate services in the same hosting OS context, the quality of the results are always predicated against the Systems Admin." The whole point with creating a next generation logging system is to remove the culpability of the operator of the computer from the Trust Equation so that machines can do business with eachother without our lies, or other human foibles. Todd Glassey ----- Original Message ----- From: "Jason Edgecombe" <javaman@vnet.net> To: <syslog-ng@lists.balabit.hu> Sent: Thursday, January 18, 2001 10:25 AM Subject: Re: [syslog-ng]sync question, feature request hello, I have to ask, what is wrong with running an ntp client on your syslog-ng machine? would this not achieve the same result as you want, or is there some other reason for it? Jason Edgecombe todd glassey wrote:
I suggest that the Syslog NG server also might want to have a capability
of
getting NTP Data directly from one of the locally defined NTP Servers. This capability, if Dr. Mills AutoKEY or some other X509 signing services we added to it, would allow Syslog to actually be a timestamp server and timestamp the overall repository of all OS and other client log data on a system. This is a grand-slam in securing the overall context of the audit process itself.
Another concept that deserves some airing in this Forum is that currently all of us as SysAdmins are legally culpable for the data that traverses our systems whether we like it or not. This is a problem based in that most all evidentiary models have no method of substantiating themselves. With a computer system right now its the SysAdmins or DBA's that are the weak link in building trustworthy systems - so what's the answer?
Audit systems that are tamper-proofed. There is a distinct need in Syslog-NG to build datapoint authentication and maintenance services into Syslog such that it can actually "Testify" as to what it was told by these other systems. This while seemingly an interesting foible is a key concept in building audit systems for ebusienss and other applications.
Todd Glassey CTO Boarderless Technologies.
----- Original Message ----- From: "Thierry Besancon" <Thierry.Besancon@prism.uvsq.fr> To: <syslog-ng@lists.balabit.hu> Sent: Friday, January 12, 2001 4:23 AM Subject: Re: [syslog-ng]sync question, feature request
Dixit Gregor Binder <gbinder@sysfive.com> (le Thu, 11 Jan 2001 17:05:03 +0100) :
» > Nevertheless, I'm not sure that is really what you (and I) want. In my » > example, it creates files with the *dates of the syslog messages* what » > is different from the date of the day they are received. In my case, » > it seems I have syslog clients with unsynchronized clocks and I » > already have messages-20010704 for example (4th july 2001 !). » » I have requested the feature to change this behaviour some time ago, and » Balasz made it come true shortly after, it's an option. use_time_recvd() » boolean.
It is not yet documented... But the source of course mention it.
Thierry
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
todd glassey on Mon, Jan 22, 2001 at 09:21:41AM -0800: Todd,
Jason - let me just answer your question here. "What is the problem with running NTP on the hosting system as a separate process from the Logger?" - The answer is that "Yes there is a problem and this is becuase as an evidentiary process, in systems that rely on separate services in the same hosting OS context, the quality of the results are always predicated against the Systems Admin."
assuming you integrate ntp functionality into syslog-ng - what stops me from attaching a debugger to syslog-ng as root and modify data or code to falsify timestamps? True, it's somewhat harder than just killing ntpd and setting a wrong time manually, but it doesn't mean it cannot be done. Or did I get something wrong? Regards, Gregor. -- Gregor Binder <gregor.binder@sysfive.com> http://sysfive.com/~gbinder/ sysfive.com GmbH UNIX. Networking. Security. Applications. PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
participants (4)
-
Gregor Binder
-
Jason Edgecombe
-
Thierry Besancon
-
todd glassey