In some email I received from [EMAIL PROTECTED], sie wrote: > > > > > > I'm interested in finding even a partial solution that can work with the > existing population of UNIX syslog daemons. > > I have been most concerned about authentication of log reports, and > scenarios in which an attacker interested in a particular device is able to > "chaff" the event logging system with bogus reports that claim to be from > other devices on the network. I'm considering adding an optional > authentication field to the syslog message that's an MD5 hash of the > message and a secret shared between log client and log server, making it > possible to filter the log for device level authentication. Because there > may be log messages with identical content there should be a nonce present > in the message text. I suggest that this nonce be the value of the > preceding log message from this client -- which should make it possible to > independently serialize the stream from this client, without reference to > timestamps at the server, and to detect missing or bogus log reports. How do you deal with lost messages (which are H0 for the next message) ? Darren
