[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Different logging formats, standardization...

On Wed, Sep 11, 2002 at 10:08:34PM +0200, Erich Schubert wrote:
> What i would like is some standard to especially express and log the
> severity of the message (very useful for filtering!)

It seems like a good idea in general.

It is very easy to confuse logcheck, for instance by sending email
to attack@localhost...

> If logcheck wouldn't require a _lot_ of manual tweaking for your system
> to do any benefit, it could be a more useable security tool.

One question though: different people may be interested in seeing
different things in the log.

For instance, consider amavis (virus E-Mail scanning):
- some people may want to have immediate indication whenever a virus is
- other people may only want to be immediately notified if a virus is
  received from an internal IP address or other "trusted" computer.
- others may not want to see any indication at all. Or there might want
  details logged just in case they get complaints latter on that mail
  is not getting through.

Another example: some people might treat any connection to the
telnet port as a serious incident, especially if it is not a SSL
or Kerberos based connection, where as others may not care.

This, I think is also a good example of why syslog levels aren't always
sufficient. I can't imagine syslog doing a good job for every situation

Would a standardized logging format help in these cases?
Brian May <bam@debian.org>

Reply to: