Re: Different logging formats, standardization...
On Sun, Sep 15, 2002 at 01:59:08AM +0200, Erich Schubert wrote:
> Syslog shouldn't notify; but the applications should pass verbose
> information to syslog, so that extra utilities can handle these
> situations more easily.
> > Would a standardized logging format help in these cases?
> IMHO it does.
> If logcheck could remove it's generic catchall-clauses (where most of
> these hits are then ignored by additional clauses afterwards)
> by replacing them with some tighter regular expressions
> (such as "^[a-z]* security-warning (medium|high|critical)" )
> this certainly is an improvment.
Logcheck is a kludge. Requiring apps to log in a "standard format" to
help logcheck work would only serve to increase the number of conspirators
in and general dirtiness of the kludge.
Filing bugs and LARTing authors who misuse the existing syslog priorities
is a better idea. The theory is that *everything* that is logged at priority
"panic", "alert", "crit" needs to be seen by the admin pretty quickly. "err"
and "warn" (yes I know panic and warn are supposed to be deprecated but
whoever decided on that sucks ;) ) are supposedly pretty important too, and
should be looked at.
"notice" you should probably want to see depending on how busy you are,
"info" will just confirm that normal (but important) things are actually
happening, and "debug" you can ignore.
If a piece of software logs security-critical messages at priority "info",
it sucks and the author should be made aware of that fact. Likewise if it
logs irrelevant tittle-tattle at anything more than "notice" (and that's
Nick Phillips -- firstname.lastname@example.org
Never commit yourself! Let someone else have you committed.