On Tue, 20 Jan 2009, RB wrote: > On Tue, Jan 20, 2009 at 06:00, Rainer Gerhards <[email protected]> > wrote: >> are there some folks on this list who are working in the computer >> forensics space? I wonder how syslog, and rsyslog in specific, works in >> forensics. > > Could you clarify what you're asking here? There are two clearly > delineated portions of the computer forensics space: that which is > analyzed and that which performs the analysis. Are you looking more > to improve analysis of rsyslog instances or to integrate into back-end > tools? > >> Most importantly, I am interested in what stops acceptance in >> the forensics field (or what nurtures it). I am interested in feedback >> to help shape the medium to long term schedule for rsyslog (including >> those initiatives that I should learn more about).
I think that what he is asking about is what makes logs acceptable or not acceptable when doing forensics, and what configurations of rsyslog would be acceptable. for example, rsyslog can be configured to use disk-based queues on redundant drives and RELP for network communication, and the result will be that rsyslog is _very_ reliable in terms of preserving messages that get to it (at the cost of performance, but you can throw hardware at it to deal with that) this is probably acceptable as a log for forensics type work. but what about the more normal settings? (tcp or udp network communications with memory-based queues). those settings can loose data, but won't under normal conditions (assuming the network isn't so busy that it drops UDP packets) David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com

