From owner-freebsd-security  Thu Jan  7 04:37:31 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA13976
          for freebsd-security-outgoing; Thu, 7 Jan 1999 04:37:31 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from tversu.ru (mail.tversu.ru [62.76.80.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA13969
          for <freebsd-security@FreeBSD.ORG>; Thu, 7 Jan 1999 04:37:17 -0800 (PST)
          (envelope-from vadim@gala.tversu.ru)
Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10])
	by tversu.ru (8.8.8/8.8.8) with ESMTP id PAA15125;
	Thu, 7 Jan 1999 15:34:23 +0300 (MSK)
Received: (from vadim@localhost)
	by gala.tversu.ru (8.8.8/8.8.8) id PAA27878;
	Thu, 7 Jan 1999 15:36:15 +0300 (MSK)
Date: Thu, 7 Jan 1999 15:36:15 +0300
From: Vadim Kolontsov <vadim@tversu.ru>
To: Don Lewis <Don.Lewis@tsc.tdk.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: kernel/syslogd hack
Message-ID: <19990107153615.A27741@tversu.ru>
References: <vadim@tversu.ru> <199901070257.SAA02565@salsa.gv.tsc.tdk.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.94.15i
In-Reply-To: <199901070257.SAA02565@salsa.gv.tsc.tdk.com>; from Don Lewis on Wed, Jan 06, 1999 at 06:57:22PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

On Wed, Jan 06, 1999 at 06:57:22PM -0800, Don Lewis wrote:

> }   Yes, it's clear. And I like this approach much better than my
> } attempts. So if everybody think that using SCM_CREDS is a good idea,
> } may be it should be included in -current?
> 
> I think so.

  I would like to try to do it, and post results here (if nobody already
did it)

> } It will not break anything
> } (the only thing which will be changed is log format, but using new
> } feature can be optional -- just another option for syslogd). And it's
> } not hard to implement.
> 
> Changing the log format could be bad because it could mess up various
> log parsing scripts.  An option would be nice.  It would even be
> better if the format could be selected for each logfile.  I don't
> know how that could be worked into the syslog.conf format, though.

  what's about 3rd (optional) 'options' field in syslog.conf?

  By the way, I'm also thinking that it would be useful to add an ability
to filter logs by source machine. My patch for syslogd understand the
following syntax in syslog.conf:

[machine:]selector;selector;selector	action

  So only new (and optional) field is "machine:". It's hostname + domain.
It's too simple; may be IP ranges, netmasks etc can be useful. "machine"
can be "*" (or simply skipped) - it means that this line works for all
source addresses..
  I don't sure that it's ideal syntax if you have a lot of machines (but it 
works ok with m4 or copy'n'paste :)

Regards,
V.
-- 
Vadim Kolontsov
Tver Internet Center NOC

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message