On Tue, 19 Oct 1999 [EMAIL PROTECTED] wrote:
> > I was happy to see that the IETF finally found out that the current
> syslog
> > protocol is hmm... a bit limited.
>
You can obviously read my mind.
> (By the way, would anyone be willing to write a one-page informational
> RFC summarizing existing BSD UNIX syslog? I would basically comment
> syslog.h, but if anyone has interest and time, this would be a helpful
> contribution.)
>
Hmmm, would this be more of a survey on the UDP packet format, a high
level description of the syslog system, differences in Berkeley and Sun
syslog creation or what? Though I don't have too much time, I do have a
record of painful experience with syslog and also worked on implementing a
couple of extensions like cascading, sequencing, hashing, and so on. If no
one else does it and no one objects to it, I would write down something.
But rather after the scope is clear, to avoid a waste of time.
> This is not a glamorous area of network research, so I doubt you will find
> anyone bragging about their accomplishments.
>
Oops, shall I cancel my previous paragraph? :-)
> It seemed to me that the secure associations and chained log event records
> did amount to a protocol, but within a system; the principal goal as I
> understand it is log file integrity within an insecure host, not integrity
> of event records on a hostile network. My main concern about Schneier's
> proposal is that it seems to add substantial crypto burden to the client,
> which is an issue for network devices and embedded systems with limited
> resources.
>
What I understand is that he wants to provide a tampering-proof log of
events for later inspection. So you can setup your machine, leave it alone
for a while, and when you come back you can scan the syslog and be sure it
has not been manipulated in the meantime. So, yes, it is local, but to be
diagnosed online afterwards.
The resource consumption is one issue, another is the validation of a
framework to actually use these features, like infrastructure, etc.
> > I don't know the last one, ssyslog.
>
> Last call: has ANYONE had contact with Lucio Torre from Buenos Aires, or
> been able to download and test his work?? If not, I suggest we drop his
> work from the discussion, because there is just not enough information
> available.
>
I have been downloading and evaluating it in February 1998. At that point
it seemed to me like a very promising work in progress (sorry, no insult
intended) with good paperwork, but not yet satisfying implementation. The
current location of the code is:
http://www.core-sdi.com/english/slogging/ssyslog-dl.html
But I haven't really checked it recently. Newest file is from July 15th,
1998. It is at the very minimum a good reference.
One more remark: whatever is coming out of this effort, I volunteer to
contribute some of my time and a lot of ideas for the protocol-to-be. My
background is two years of Team Leader UNIX Security for a _very_ large
german financial institute. I took part in the design and implementation
of a distributed syslog infrastructure for hundreds of heterogeneous hosts
(AIX, HP-UX, Solaris, Digital UNIX, Linux, WinNT). And now I work for one
of the larger Linux distributors ...
> Alex Brown <[EMAIL PROTECTED]> +1 508 323 2283
>
Volker
--
Volker Wiegand Phone: +49 (0) 6196 / 50951-24
SuSE Rhein/Main AG Fax: +49 (0) 6196 / 40 96 07
Mergenthalerallee 45-47 Mobile: +49 (0) 179 / 292 66 76
D-65760 Eschborn E-Mail: [EMAIL PROTECTED]
++ Only users lose drugs. Or was it the other way round? ++
