> So, Tina - are you planning to coordinate your efforts with
> any of the standards bodies? I am personally involved in the
> Open Group's XDAS project, which has some overlap with what
> you describe, but I've also heard of CERIAS or COAST or
> something, and other similar efforts sponsored by MITRE and such.
>
> The point being, it's great that Splunk is working on this,
> but unless it gets up to sort-of-RFC status, it'll be hard
> for people to find and reference, in my opinion.
Huh? I don't think that what I'm doing is anything that could easily be fit
into an RFC, at least not yet. Right now, a large number of individuals and
organizations (commercial and otherwise) are trying to accumulate knowledge
regarding the operational data that computers put out:
* the complete list of messages that can be produced
* the most frequently seen messages in normal operation
* some set of "danger will robinson" messages that indicate it's time to
panic
* the "information fields" contained in those messages
* how to configure the device (or app, or whatever) to be sure that you get
records of the kinds of events that administrators really care about
Now, it's possible that -- in the same way that RFC 3164 *documented*
(rather than prescribed) the syslog protocol -- once we've got a few
systems/devices/apps documented in the way I've described above, that we'll
be able to generalize the information to a set of SHOULDs (in the RFC sense)
for vendors and developers to reference. To some extent, this has been done
in George Jones' work on security requirements for network devices (George,
what's the URL? Where are you?), which includes some logging requirements.
Apparently the Common Criteria and/or other "certification mechanisms" also
state requirements for events that must be logged, and at least a subset of
the information they must contain. And I've got skeletons of "events for
which I'd like to see logs" for several categories of devices in my head;
but none of it is the sort of thing I can imagine trying to formalize, at
least not at this point.
The actual situation is even worse than this, because not only do we not
have a repository of this kind of information (which, BTW, folks are already
finding via the miracle of Google), but we have people plowing ahead
developing transport mechanisms and parsers and all kinds of tools *without*
having more than a very superficial grasp of the kind of information they
will be collecting and correlating. How does that work, exactly?
Eric Allman created syslog in the early 80s, right, as part of sendmail.
It's now 2007 and the only advice a newbie gets right now, when they try to
make sense of their computer data, is to look for the weird stuff. There was
a chance there, for a brief time, where one could have documented
*everything*, and then we might be in a better situation today...
I'm not talking rocket science, or funky algorithms, or anything like that.
In fact, I think the combination of dullness and difficulty has been the
great de-motivator for this work in the past. But I firmly believe that we
can't do *anything* rationally until we have a large *observational*
dataset. Beginning a standards movement at this point won't build the
dataset faster -- quite the contrary, if my brief interactions with the
Trusted Computing Group are any indication. So I'm just trying to get the
info in one place, and I'm grateful to Splunk, Daniel Cid/OSSEC, Rainer
Gerhards and everyone else who is trying to do the same thing.
[You would never guess that at one time, I was the poor slob stuck with
"doing the logs," could you?]
Does that explain things more clearly? If not, can you elaborate on how the
process of creating an RFC at this point will help?
> So, Tina - are you planning to coordinate your efforts with
> any of the standards bodies? I am personally involved in the
> Open Group's XDAS project, which has some overlap with what
> you describe, but I've also heard of CERIAS or COAST or
> something, and other similar efforts sponsored by MITRE and such.
>
> The point being, it's great that Splunk is working on this,
> but unless it gets up to sort-of-RFC status, it'll be hard
> for people to find and reference, in my opinion.
Huh? I don't think that what I'm doing is anything that could easily be fit
into an RFC, at least not yet. Right now, a large number of individuals and
organizations (commercial and otherwise) are trying to accumulate knowledge
regarding the operational data that computers put out:
* the complete list of messages that can be produced
* the most frequently seen messages in normal operation
* some set of "danger will robinson" messages that indicate it's time to
panic
* the "information fields" contained in those messages
* how to configure the device (or app, or whatever) to be sure that you get
records of the kinds of events that administrators really care about
Now, it's possible that -- in the same way that RFC 3164 *documented*
(rather than prescribed) the syslog protocol -- once we've got a few
systems/devices/apps documented in the way I've described above, that we'll
be able to generalize the information to a set of SHOULDs (in the RFC sense)
for vendors and developers to reference. To some extent, this has been done
in George Jones' work on security requirements for network devices (George,
what's the URL? Where are you?), which includes some logging requirements.
Apparently the Common Criteria and/or other "certification mechanisms" also
state requirements for events that must be logged, and at least a subset of
the information they must contain. And I've got skeletons of "events for
which I'd like to see logs" for several categories of devices in my head;
but none of it is the sort of thing I can imagine trying to formalize, at
least not at this point.
The actual situation is even worse than this, because not only do we not
have a repository of this kind of information (which, BTW, folks are already
finding via the miracle of Google), but we have people plowing ahead
developing transport mechanisms and parsers and all kinds of tools *without*
having more than a very superficial grasp of the kind of information they
will be collecting and correlating. How does that work, exactly?
Eric Allman created syslog in the early 80s, right, as part of sendmail.
It's now 2007 and the only advice a newbie gets right now, when they try to
make sense of their computer data, is to look for the weird stuff. There was
a chance there, for a brief time, where one could have documented
*everything*, and then we might be in a better situation today...
I'm not talking rocket science, or funky algorithms, or anything like that.
In fact, I think the combination of dullness and difficulty has been the
great de-motivator for this work in the past. But I firmly believe that we
can't do *anything* rationally until we have a large *observational*
dataset. Beginning a standards movement at this point won't build the
dataset faster -- quite the contrary, if my brief interactions with the
Trusted Computing Group are any indication. So I'm just trying to get the
info in one place, and I'm grateful to Splunk, Daniel Cid/OSSEC, Rainer
Gerhards and everyone else who is trying to do the same thing.
[You would never guess that at one time, I was the poor slob stuck with
"doing the logs," could you?]
Does that explain things more clearly? If not, can you elaborate on how the
process of creating an RFC at this point will help?
cheers -- tbird
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
[ reply ]