[logs] Cross-Platform Log Analysis and Microsoft
Eric Fitzgerald
Eric.Fitzgerald at microsoft.com
Tue Jul 3 00:09:50 PDT 2007
Nah, it doesn't seem that mere mortals can build correct, secure ASN.1 parsers. It's straight XMLSOAP on a secure transport for our stuff, although we have a binary representation format (doesn't seem like OASIS is going to come up with a standard for that anytime soon) and we have a way to do streaming compression on event subscriptions- the WS-Management guys lifted some of the code from the ACS audit forwarding project I worked on. :-)
We extensively prototyped ACS security event log messages (encypted compressed binary encoded XML). XML infoset increased our message size by about 50% from around 90 bytes/event on the wire to around 140 bytes/event on the wire including all protocol overhead for TCP/IP. I expect that eventlog messages are a bit larger but not an order of magnitude larger.
I considered BEEP for ACS and rejected it as well; I liked the GSS-API integration but it had an unusual combination of XML and non-XML text in the messaging, IIRC. Also there did not exist a reference implementation at the time so there was no possibility for interoperability.
________________________________
From: Marcus J. Ranum [mailto:mjr at ranum.com]
Sent: Mon 7/2/2007 7:27 PM
To: Eric Fitzgerald; David Corlette; loganalysis at loganalysis.org
Subject: RE: [logs] Cross-Platform Log Analysis and Microsoft
Eric Fitzgerald wrote:
>Regarding security, it doesn't matter if the whole rest of the world
>uses telnet, SNMP and syslog for management, Microsoft cannot afford to.
By the way - a little trivia:
SNMP (which stands for "security? not my problem.") was brought
to us by Marshall Rose - the same guy who had his fingers in
MIME and BEEP. Syslog was brought to us by Eric Allman, who
also brought us sendmail.
I've got nothing personal against them (in fact, Eric's a really great
guy who feels genuine pain when I periodically ridicule his software)*
but I figure that if you totalled up all the effort wasted thanks to
those gentlemen's software they've done more damage to the
art of modern networking than all the leet hackers combined.
Speaking of BEEP - what's the status of that monstrosity? Has
its head been sawed off and its mouth packed with garlic, yet? Is the
stake still through its heart?
Of course, from what Eric said in his post - that Microsoft's
direction is firmly web-enabled, I expect that they're going to
offer some kind of ASN.1 encoded in XML over SOAP over PPP
over SSL log-forwarding protocol that includes bi-directional firewall
traversal and messages are 1.2 megs apiece.
mjr.
(* But I've got to.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070703/e4ae0e52/attachment.html
More information about the LogAnalysis
mailing list