[syslog-ng][PATCH] netmask-filter

todd glassey todd.glassey@worldnet.att.net
Mon, 21 Jan 2002 05:46:35 -0800 

I am sorry Gert - My fault for not explaining more , and I thought it was
inherently obvious what it has to do with your filter. What I am looking for
a stronger log maintanenece regimen from SyslogNG or the tools around its
use.

Let me ask "Gert what is the point of collecting logging information
anyway?" So that we as a systems admin can prove what went on inside our
systems - leaving us as the weak link in the evidentiary chain of custody
for events taking place inside the audit envelope around your systems.

Also - at least in the states here after the ENRON Debacle - look to
auditors to have a much stronger profile in any audit and process
walkthrough that we as Systems Admins will have to do for them. That has
direct implications on the trustability and systenms that we erect to log
our systems activities with.

Todd Glassey



----- Original Message -----
From: "Gert Menke" <gert@menke.za.net>
To: "todd glassey" <todd.glassey@worldnet.att.net>
Cc: <syslog-ng@lists.balabit.hu>
Sent: Sunday, January 20, 2002 7:27 AM
Subject: Re: [syslog-ng][PATCH] netmask-filter


> Hi!
>
> > I like it and all that it is missing is
> Thanks, but I don't see what those things have to do with my patch?
>
> >     1)    A mechansim of proving delivery receipt - i.e. reliable
delivery
> > of syslog information
> Hm, using tcp insted of udp could improve things a bit, but not every
> syslogd supports that.
>
> >     2)    A mechanism of watermarking or timestamping with a reliable
time
> > abse so that the records can stand up to evidentiary use model
> > reqyuirements.
> Yes, that could be useful. I heard about a program called multilog a few
> days ago; IIRC it is able to do such things. (You would need to pipe your
> syslog data to multilog via destination{program("multilog...");}; or so.)
> Does anybody on this list know more about this?
>
> BTW: Is it possible to customize the logfile format of syslog-ng?
> I would like something like:
> <local timestamp><source ip><host><sender's timestamp><message>
>
> >     3)    A uniform Syslog Event Query Interface (XDAS or DOORS
compliant
> > would be nice too!).
> Could you explain that a little more?
>
> Greetings
> Gert