The Journal - a proposed syslog replacement

Posted Nov 22, 2011 20:27 UTC (Tue) by raven667 (subscriber, #5198) [Link]

Wow, if only all of this energy were spent solving the real problem (how the attacker gets in) rather than the tangential problem (how do we know he got there), perhaps all of this would be rendered... moot?

If only the world were that simple. You are never going to be able to prevent a motivated attacker from getting into your system. That's not really practically possible, new vulnerabilities will be discovered at the same rate or faster than you can plug them. What you can do, and what is a better use of resources, is a strong audit capability so that you can throw the bums out as soon as they get in, hopefully before they can cause serious damage. Not that you shouldn't patch as well but all the patching in the world will never be enough.

The world is a harsh place, you can't prevent all bad things from happening all the time but you can respond quickly with strength and resilience when they do.

Posted Nov 23, 2011 9:06 UTC (Wed) by anselm (subscriber, #2796) [Link]

There are various interesting things one could straightforwardly do with a well-designed binary log file format that are difficult to do with the current free-for-all text files. Efficient search according to (a combination of) different criteria is perhaps the most obvious candidate.

I agree that it is important to have a tool that will dump the binary file to a readable text file if required, but it seems to me that much of the »binary format sucks, over my dead body« we hear here is due to a Pavlov reflex.