Re: syslog idea

[fred () nasirc hq nasa gov (Fred Blonder)]

        From: "Jonathan M. Bresler" <jmb () kryten Atinc COM>
        Subject: Re: syslog idea
        To: *Hobbit* <hobbit () bronze lcs mit edu>
        cc: bugtraq () crimelab com

                On Thu, 6 Oct 1994, *Hobbit* wrote:

                If you don't have a secure logging host, there's also a
                possibility of someone breaking in and then trashing
                the logfile to hide their tracks.

                This brought to mind the idea of a "syslog monitor", or
                a process that would just hang out someplace and stat
                the various log files periodically, using some
                mechanism to warn of excessive size, mysterious
                shrinkage, and maybe some other warning signs.

        take a look at tripwire from gene spafford and gene kim at
        purdue.  version 1.2 was released just last month.  it will
        monitor any files you want for changes . . .  it  will also
        checksum those files . . .

The limitation of Tripwire in this application is that log files are
ALWAYS (well, almost) changing, so if Tripwire raised the alarm on a
logfile, your reaction should be: "So what?".  ;-)

At the FIRST Conference in Boston a couple months ago, Gene Spafford
spoke about Tripwire.  Someone in the audience asked about the
possibility of improving Tripwire so that it could checkpoint
logfiles.  Gene seemed to think this was a good idea, and said he'd
consider it in a future version.
-----
Fred Blonder            fred () nasirc hq nasa gov

Hughes STX Corp.        (301) 441-4079
7701 Greenbelt Rd.
Greenbelt, Md.  20770