[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] No time stamps in audit.log?



On 09/03/2014 07:24 PM, Carlos E. R. wrote:
> On 2014-09-04 00:46, pinguin74 wrote:
> 
>>> The timestamp is 1409728889.981
>>>
>>> $ date --date="@1409728889.981" Wed Sep  3 09:21:29 CEST 2014
> 
>> Is this their goal, to make reading the log file as hard as
>> possible?
> 
> Because it is faster for reading it by software, I'd guess.

In particular if you are sticking those fields into some sort of
database and indexing on the 'timestamp'.

I realise that sophisticated databases can index date fields but they do
so by converting the YY/MM/DD:HH:NN:SS,ss into a an integer and
converting it back on display.  So why not start with the integer?

In a corporate setting syslog or whatever can be throwing a lot of
records and the delay of having to do that conversion before stuffing
the record in the database will slow things down.

Why database?  There are tools that can do interesting things in a
corporate setting like look for a penetration coming in though firewall,
switch host application. All very automated. Most of us just look at the
syslog files of a single machine as in "why is that application
misbehaving", but there is a whole business of detecting attacks.

I mean, after all, this is apparmor we are talking about here, not
vanilla syslog, so it *is* about attacks.



-- 
shin (n): A device for finding furniture in the dark.
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx