Different logging formats, standardization...
Every now and then i'm annoyed by the way most applications log.
Each has a different way of logging it's messages (i do not mean how
they write to the log...)
The only thing that most applications do comply to is that they log
through syslog, with their application name and pid.
Some (like gconf) include the username affected as well.
What i would like is some standard to especially express and log the
severity of the message (very useful for filtering!)
if you look at the "violations" standard file of logcheck, you'll see
that an application has no reliable way to determine the serverity of
these messages, therefore they contain words such as "reject", then try
to remove false positives by additional expressions in "ignore.d".
The LSB doesn't say anything about logging, does it?
I think that should be added and standardized there...
But Debian could define and publish such a standard, then submit patches
to upstream to have them support this standard.
If logcheck wouldn't require a _lot_ of manual tweaking for your system
to do any benefit, it could be a more useable security tool.
I know that i can redirect different syslog-severities to different
files; but that severity is not fine grained enough IMHO, and not used
enough by the applications.
Especially applications could need a standard way to highlight messages
that mean security violations and attacks onto services.
Some applications generate "warning" messages in their regular use; and
while still being only warnings, some are non-standard and also need
handling; other warnings are to be ignored...
Syslog gives there only three priorities: CRIT, ERR and WARNING.
For example when a mail is undeliverable, this is a warning, but
certainly not an error. A hacker attack that my software was not
vulnerable is also only a warning, still i'd like to see that in a
different log. (actually i'd like that grepped out of the log and mailed
to me, like logcheck does)
A drawback of syslog certainly is that it only supports logging
different severity to different files; but error log lines could be
accompanied by warning messages; i'd like to have them in the same log
file.
Syslog doesn't support writing the priority into the log files, does it?
I guess that syslog-ng is better here; but the Debian default and
application support is what i'd like to improve.
The debian syslog default configuration sucks, IMHO.
(That doesn't mean that i think other distributions do this better...)
Gruss,
Erich Schubert
--
erich@(mucl.de|debian.org) -- GPG Key ID: 4B3A135C
There was never a good war or a bad peace. - Benjamin Franklin
Go away or i'll replace you with a very small shell script.
Wer nicht zuweilen zuviel empfindet, der empfindet immer zuwenig.
Der Wissende weiß, dass er glauben muß.
Reply to: