Douglas Granzow wrote:
>
> I think one of our goals should be to create a protocol which can be
used
> on any platform. Any discussions of configuration files, kill
signals,
> command line options, etc. are going to be system-specific and are
outside
> the scope of the protocol itself. The protocol should be usable
whether
> the device is Unix, Windows, Cisco, vending machine, or watch.
yes!! i believe this is something we have to keep in mind thru all the
process
of designing syslog2 or whatever the name will be.
I also believe that all the talk about TCP vs. UDP is pointless at this
stage,
I would only go into that once i have defined what exactly should the
new protocol do, then choosing which transport to use and what to use it
for
seems more rational.
(this off course without thinking about syslogd compatibility, lets just
forget
about that for a moment too).
Seems to me more easy to first define what we want and need in the new
logging mechanism, then to find out how to accomplish our goals.
So far, and doing yet a bit more of a summary (btw, someone should
summarize all the traffic in the list at least once a week).
We have:
. syslog clients, those that generate messages to be logged
. syslog servers, those that store messages from one or more syslog
clients
also, on the same machine we can have both, a syslogd acting as a server
and a client.we need to define:
. functionality for the syslog clients, how the messages are generated,
what
metadata they must have (timestamps, priority/facility, originator pid,
user, tags, measures that ensureintegrity of the generated data) what
interactions
with the syslog client are allowed from the actual data providers
(processes,apps, kernel) and how those interactions are to be done
[define requeriments for log cliente? define an API?].
. functionality for the syslog servers, how are they suppossed to store
the data,
what kind of security measures must be present in the stored data
(MACs? encryption?
inmutability of the files? ACLs?) serialization of stored data from
different
sources, availability issues and how to avoid DoS attacks,etc.
[define requirements for a log server?]
communication between client and servers: what is needed?
mutual authentication, reliability, must be possible with high volume
of data,
must be possible over slow links? over serial lines? across security
domains, firewall friendly, must ensure integrity of data on the wire?
privacy?
must minimize overhead? maximize thruput?
[define a protocol]
. managment and maintainance of the components of a logging system
itself
configuration changes, default behaviour for each component in the
presence
of various events, usage of different authentication methods, crypto
algorithms, alerts, etc.
[define an API? MIB? minimun managment requirements?]
To this, i add another component,. functionality of the 'auditor
client', an auditor
client is an agent that retrieves logged data from the syslog server and
presents it for
visualization either by a human being or a program.
In this scope, the syslog server also performs the functions of an
"auditor server",
provides the means for data retrieval and the interaction between both,
auditor clients and servers should be specified aswell. A protocol that
rules
the communication between these servers and clients has several security
considerations,
but those are not necessarily the same as the ones for "syslog
client"<--> "syslog server".
i.e. centralized logging in a syslog server does not mean that the
auditing or visualization of
the logged data is to be done centralized also.Perhaps provisions for
different operations on
the logged data shoudl be specified, signing comes to mind, it might be
the case that a log file
should only be zapped after a group of people has read it, or that the
admin at logging server
should not be able to alter the security parameters for the
authentication methods, etc.
yes, i admit it, the above is biased on our (CORE's) current approach
to the problem,
but regardless of that i feel that a first stage of determinaning
exactly what we expect
from each component of the logging system is necesary before deciding
how many
facilites are needed, what transport protocol should be used, should or
shouln't we
support old syslog, how are we going to implement timestamps if at all,
etc.
-ivan
--
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
--------------------------------------------------------------------------------------------
Iv�n Arce <[EMAIL PROTECTED]>
Presidente
CORE SDI S.A.
Pte. Juan D. Peron 315 4to UF17 (1394) Buenos Aires, Argentina.
TE/FAX: +54-11-43-31-54-02 +54-11-43-31-54-09
PGP fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
--------------------------------------------------------------------------------------------
--- For a personal reply use [EMAIL PROTECTED]
