Re: draft-ietf-opsec-logging-caps-03

[Roland Dobbins <rdobbins@cisco.com>]

On Jun 29, 2007, at 3:55 AM, Ron Bonica wrote:

> - Do we need another requirement that says that it should be  
> difficult,
> if not impossible, to alter the local copy of a log?

Yes, this makes sense.  Would it also make sense to specify that  
there should in fact be local log storage of some capacity, so that  
in the event of network partition or unavailability of the log  
collection system, some information would be preserved locally?

> - How should the system behave if some components spews 1,000,000
> instances of the same log message in a 5 second period?

Rate-limiting/sampling upon individual elements of the log (message  
type, things like source ip/dest ip or whatever the log contains).   
Also, various levels of logging detail should be codified, which  
would play into this issue, as well.

> - How should the system behave if some component spews 1,000,000
> different messages in a 5 second period.

See above.

> - How should the system behave when all of the space for local logging
> is exhausted. Drop oldest messages? Tail drop?

This should be configurable and of similar granularity with regards  
to the individual elements of the log as noted above.   Individual  
settings for logging level, sampling/rate-limiting rates, and FIFO  
vs. tail-drop would probably make sense.

----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice

                   Equo ne credite, Teucri.

    		          -- Laocoön