Mailinglist Archive: opensuse-security (51 mails)

< Previous Next >
Re: [opensuse-security] No time stamps in audit.log?
On 2014-09-04 01:53, Anton Aylward wrote:
On 09/03/2014 07:24 PM, Carlos E. R. wrote:
On 2014-09-04 00:46, pinguin74 wrote:

The timestamp is 1409728889.981

$ date --date="@1409728889.981" Wed Sep 3 09:21:29 CEST 2014

Is this their goal, to make reading the log file as hard as

Because it is faster for reading it by software, I'd guess.

In particular if you are sticking those fields into some sort of
database and indexing on the 'timestamp'.

I realise that sophisticated databases can index date fields but they do
so by converting the YY/MM/DD:HH:NN:SS,ss into a an integer and
converting it back on display. So why not start with the integer?

Well, a database can be processed "offline", or delayed, so processing
time is not that crucial. But logs have to be written fast. Not
formatting a field makes it just a bit faster, and also a bit faster to
read (and understand) by another process, if needed.

But syslog not always writes to a plain text file, it can write to
binary databases as well. These take more processing to create, so
optimizing starts to become important... After all, you record some type
of longint, not a text string. Way, way faster.

In a corporate setting syslog or whatever can be throwing a lot of
records and the delay of having to do that conversion before stuffing
the record in the database will slow things down.

Yep. :-)

Why database? There are tools that can do interesting things in a
corporate setting like look for a penetration coming in though firewall,
switch host application. All very automated. Most of us just look at the
syslog files of a single machine as in "why is that application
misbehaving", but there is a whole business of detecting attacks.

I mean, after all, this is apparmor we are talking about here, not
vanilla syslog, so it *is* about attacks.

And, when apparmour starts logging a , it slows down the processes it is
watching, I believe. The processes can not go ahead faster than those
events are written, they have to wait - so everything crawls. Thus
writing those events fast is important. This is a guess, I haven't
verified it, but an educated guess.

Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 "Bottle" at Telcontar)

< Previous Next >
List Navigation
Follow Ups