On Tue, 19 Oct 1999, d wrote:
> > [EMAIL PROTECTED] sez:
> > It's critically important that logs reflect the time events happened,
> > however most system clocks are wrong. So let's either build an xntp client
> > in the syslog server that atleast records the "real" time a message was
> > received.
>
> While I'd be the first to agree that time is critical for any sort of
> auditing or security, do people agree that accurate time (let alone
> specifying a specific format) should be part of a syslog specification?
> I'd initially vote against that as a design constraint, but I must
> confess I haven't given it a great deal of thought.
The exact time an event occurred is difficult to nail down. Which of
the following do you want to know:
1. When an event actually occurred
2. When the message was passed to syslog
3. When syslog wrote the message to a destination (log file, device,
remote syslog, etc.)
I would imagine the answer is "all of the above". You may be able to
compare these values to determine the time difference between multiple
servers; or another field could be added specifically indicating the time
difference. In any case, syslog will need to have the ability to attach
multiple timestamps to each message for each syslog the message passes
through.
Doug Granzow ([EMAIL PROTECTED])
Unix Security Engineer, Digex
