Sorry for posting the question and then being offline. I had a meeting
and was after that a bit more swamped than I expected ;)
Thanks for the good answers so far. My question was vague, but that
reflected that I actually do not exactly know what to ask for. While I
took a look at forensics every now and then, this is not an area where I
have really any deep expertise.
However, I should have stated that I am primarily interested on the
event detection/gathering, transmission and storage part of the picture.
That's where rsyslog can play a role (that limits the "event detection"
process to listening to whoever wants to talk to it). The analysis part
is beyond my scope right now (and probably will be for quite some time).
As I said, I do not have an immediate need, but would like to understand
the needs a bit better (and you have already provided good advise so far :)).
The root cause of my question is that I would like to refine my medium,
may be long term vision. While I think I can not implement any of the
outcome, it helps my tune the implementation of things I do in a way
that facilitates forensic needs (at least in cases where I have a
choice). Without that information, I would probably do things in ways
that will require much more effort once I get to "forensics-readiness".
I hope this clarifies and sorry for not replying sooner. I will probably
be a bit swamped 'til the end of the week, but will try to be more
responsive now :)
Thanks again for all that fine information, please keep it flowing. It
is very useful.
Rainer > -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com] On Behalf Of RB
> Sent: Wednesday, January 21, 2009 9:59 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Anyone in Computer Forensics?
> On Wed, Jan 21, 2009 at 12:55, <firstname.lastname@example.org> wrote:
> > this is the most paranoid/conservative view, and by this
> definition there
> > are basicly no logs in existance that meet the forensics
> Rather than set an unattainable standard, my intent was to communicate
> the conservative approach forensics would rather take. Edge cases and
> mitigating controls are acceptable as long as they are well-documented
> - that's basic security practice. I would rather see a solution that
> has 100 well-documented lossy edge cases than one that claims to be
> lossless with no proofs to back it.
> > frankly, if you really need write-only media, the best
> thing to do (volume
> > permitting) is to dump to a printer.
> You may want to recalculate; even 6-point font on large (14.875x11.5")
> tractor-feed paper only fits ~80MB per 3500-sheet box. Or, put
> another way, 2 512-byte events per second will burn through a $70 case
> per day. Or 6.5 reams of US Letter per day. Extremely limited
> rsyslog mailing list
rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com