Folks:
Audit trail time....and let's not forget that there may be a cascade
chain of syslog hosts that the message needs to transit that may not be time
synch'd....
TRAVEL: At Scient SF as of 27th of Sept. -- Traveling often, no sched. yet
Regards,
b c++'ing u,
%-) sjs
-------------------------------------------------------------------------------
Weebles wobble, but they don't fall down!!!
-------------------------------------------------------------------------------
Stefan Jon Silverman SJS Associates, N.A., Inc.
698 West End Avenue - Suite 15-B
New York, NY 10025
E-mail: [EMAIL PROTECTED] Phone: 212 662 9450
Website: http://www.sjsinc.com Fax: 212 662 9461
Text-Page: [EMAIL PROTECTED] Cell: 917 929 1668
-------------------------------------------------------------------------------
In San Francisco
Scient: 415 591 3973 [EMAIL PROTECTED] (MD - Infrastructure Arch.)
Home: 415 929 0406 [EMAIL PROTECTED] (1155 Jones, Apt. 303 - 94133)
-------------------------------------------------------------------------------
On Tue, 19 Oct 1999, Douglas Granzow wrote:
>
>
> On Tue, 19 Oct 1999, d wrote:
>
> > > [EMAIL PROTECTED] sez:
> > > It's critically important that logs reflect the time events happened,
> > > however most system clocks are wrong. So let's either build an xntp client
> > > in the syslog server that atleast records the "real" time a message was
> > > received.
> >
> > While I'd be the first to agree that time is critical for any sort of
> > auditing or security, do people agree that accurate time (let alone
> > specifying a specific format) should be part of a syslog specification?
> > I'd initially vote against that as a design constraint, but I must
> > confess I haven't given it a great deal of thought.
>
> The exact time an event occurred is difficult to nail down. Which of
> the following do you want to know:
>
> 1. When an event actually occurred
> 2. When the message was passed to syslog
> 3. When syslog wrote the message to a destination (log file, device,
> remote syslog, etc.)
>
> I would imagine the answer is "all of the above". You may be able to
> compare these values to determine the time difference between multiple
> servers; or another field could be added specifically indicating the time
> difference. In any case, syslog will need to have the ability to attach
> multiple timestamps to each message for each syslog the message passes
> through.
>
> Doug Granzow ([EMAIL PROTECTED])
> Unix Security Engineer, Digex
>
>
