LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Not very thought through proposal

Not very thought through proposal

Posted Nov 25, 2011 22:27 UTC (Fri) by job (guest, #670)
In reply to: Not very thought through proposal by dlang
Parent article: The Journal - a proposed syslog replacement

Indeed there will be such tools. It is required as the format is undocumented binary.

The reason some attackers manipulate logs with sed today is simple because it's possible. They will use another tool when it's not.

I hope some of the proponents of this proposal would answer the details about remote seed logging and what problems this would solve as opposed to simply remote logging. This part is completely left out, and I still think the misunderstanding is on my part as it is simply a much too ill thought out proposal otherwise.

(Log in to post comments)

Not very thought through proposal

Posted Nov 25, 2011 23:31 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

one argument could be that remote seed logging is low bandwith compared to full remote logging.

I don't think it's a compelling argument (especially in light of all the complexity involved here, etc), but it's an argument.

by the way, it turns out that there is a RFC on how to properly secure logs, RFC5848 that has been through the mill of analysis, both from a crypto point of view and it's limitations (http://www.gerhards.net/download/log_hash_chaining.pdf)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds