Date: Sat, 18 Feb 2012 16:35:20 -0500 From: Robert Simmons <rsimmons0@gmail.com> To: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year Message-ID: <CA%2BQLa9BWtSND-VOTxXxOJOzy=SsJuJcsDs-9ndpoPnGyKe3THg@mail.gmail.com> In-Reply-To: <20120217235620.4BEF4106566B@hub.freebsd.org> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <CAE-mSO%2Bsa2Cu0aQksEXGyMnyns3=aAL8odmzQNMEJ77dpUAgmw@mail.gmail.com> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 17, 2012 at 6:56 PM, Roger Marquis <marquis@roble.com> wrote: > I don't personally recall a time when everything else wasn't logging the > year, in one format or another. =A0That's not to imply that syslogs > shouldn't be distinguishable by year but the question seems to be where > the year should be logged, A) on every line or B) in the archive file > name. There already is a standard, RFC 5424: freebsd-security@freebsd.org You are asking, should we make our own decision to do this totally differently than the standard set in that RFC, or should be implement that RFC? Another option is to do nothing and stick with the way it is. I think the way to proceed would be to implement RFC 5424, and have it as a switch in rc.conf, something like: syslogd_flags=3D"-x" where x is the new switch that would enable RFC5424 style logging. This would be optional for now. Then with FreeBSD 10, 5424 would become the default with the option now being a flag -y to enable old style logging for backwards compatibility. > I suspect it was not common practice to leave logs on the server for more > than a year when Allman originally wrote syslog, and I have not seen an > environment where logs are left in /var/log for over a year. =A0Personall= y, > I would rather see FreeBSD stay backwards compatible and A) leave the > syslog timestamp format alone instead opting for KIS by simply writing > the year in the archive file name rather than wasting 5 bytes on every > line of every syslog log file. =A0YMMV. It really shouldn't be a common practice, but we live in a world where governments are forcing data retention laws. In is an unfortunate reality that needs to be dealt with. http://en.wikipedia.org/wiki/Telecommunications_data_retention Also, I'm not sure I follow the logic behind some of the people on this list saying not to implement this at all. It should be an option for now, then the default on the other side of a major OS version with the old way then available as an option. This seems the most rational path to take.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9BWtSND-VOTxXxOJOzy=SsJuJcsDs-9ndpoPnGyKe3THg>