Re: Different logging formats, standardization...

[Erich Schubert <erich@debian.org>]

> It is very easy to confuse logcheck, for instance by sending email
> to attack@localhost...

That is exactly what i mean, logcheck has some hit words (for example
"bad") that i frequently hit (my notebooks hostname is bomBADil...)

> One question though: different people may be interested in seeing
> different things in the log.

I disagree here: IMHO it should be logged anyway and they should be able
to filter stuff they don't like out of it (and i think syslog-ng would
allow them to not log such stuff at all, if they want to do that)

> For instance, consider amavis (virus E-Mail scanning):
Yep, i use amavis, too.

> - some people may want to have immediate indication whenever a virus is
>   received.
> - other people may only want to be immediately notified if a virus is
>   received from an internal IP address or other "trusted" computer.
> - others may not want to see any indication at all. Or there might want
>   details logged just in case they get complaints latter on that mail
>   is not getting through.

This can be done in post-processing, if the logging is verbose enough
IMHO. -  but it needs to be machine-readeable...

> Another example: some people might treat any connection to the
> telnet port as a serious incident, especially if it is not a SSL
> or Kerberos based connection, where as others may not care.

I agree. And some people might want to be only notified if there are a
significant amount of such "incidents" in a certain time frame.

> This, I think is also a good example of why syslog levels aren't always
> sufficient. I can't imagine syslog doing a good job for every situation
> here...

Syslog shouldn't notify; but the applications should pass verbose
information to syslog, so that extra utilities can handle these
situations more easily.

> Would a standardized logging format help in these cases?

IMHO it does.
If logcheck could remove it's generic catchall-clauses (where most of
these hits are then ignored by additional clauses afterwards)
by replacing them with some tighter regular expressions
(such as "^[a-z]* security-warning (medium|high|critical)" )
this certainly is an improvment.

Greetings,
Erich

-- 
        erich@(mucl.de|debian.org)        --        GPG Key ID: 4B3A135C
          Go away or i'll replace you with a very small shell script.
       Gute Freunde sind wie Sterne in der Nacht. Auch wenn sie manchmal
            hinter den Wolken sind, weißt Du, sie sind für dich da.
                    Der Wissende weiß, dass er glauben muß.