On Wed, 20 Oct 1999, Balazs Scheidler wrote:
> > - Possibility to use this protocol on a serial cable: We have a machine
> > with eight serial ports and no network connection as the log server
> > here. I don't want to open the log server to the net or even expose its
> > presence to the casual hacker using nmap.
> This is an implementation issue IMHO.
Not really. The protocol should be able to work without multiple
channels or out-of-band data, or we need an underlying packet transport
mechanism. And any additional mechanism increases the possibility of a
buffer overrun/remote root attack, which I, if I cannot avoid this on the
server, still want my logging host to be exempt from.
> > - Compression of equal/similar(?) lines at the originating host.
> This should be accomplished with a repetition count assigned to messages.
> "Last message repeated NNN times" make it quite difficult to find the
> original message.
The "last line repeated" stuff has the advantage of having the line logged
at least once, even if the system crashes later on (DoS attack). We could
have the receiving host bundle information later on (such as in
13:30 abc def[123]: ghi
13:33 abc 300x def[123] ghi ),
but I still want stuff to be logged on the first occasion.
Simon
PGP public key available from ftp://phobos.fs.tum.de/pub/pgp/geier.asc
Fingerprint: 10 62 F6 F5 C0 5D 9E D8 47 05 1B 8A 22 E5 4E C1
