On 09/03/2014 07:24 PM, Carlos E. R. wrote:
On 2014-09-04 00:46, pinguin74 wrote:
The timestamp is 1409728889.981
$ date --date="@1409728889.981" Wed Sep 3 09:21:29 CEST 2014
Is this their goal, to make reading the log file as hard as possible?
Because it is faster for reading it by software, I'd guess.
In particular if you are sticking those fields into some sort of database and indexing on the 'timestamp'. I realise that sophisticated databases can index date fields but they do so by converting the YY/MM/DD:HH:NN:SS,ss into a an integer and converting it back on display. So why not start with the integer? In a corporate setting syslog or whatever can be throwing a lot of records and the delay of having to do that conversion before stuffing the record in the database will slow things down. Why database? There are tools that can do interesting things in a corporate setting like look for a penetration coming in though firewall, switch host application. All very automated. Most of us just look at the syslog files of a single machine as in "why is that application misbehaving", but there is a whole business of detecting attacks. I mean, after all, this is apparmor we are talking about here, not vanilla syslog, so it *is* about attacks. -- shin (n): A device for finding furniture in the dark. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org