RE: [loganalysis] Logging standards and such

From: Wright, Joseph G (Gregory), GOVMK (josephgwrightat_private)
Date: Wed Aug 15 2001 - 12:33:33 PDT

  • Next message: Mordechai T. Abzug: "Re: [loganalysis] Re: Central syslog server best practices?"

    Perhaps it would be worth considering a third profile for syslog-reliable
    <ftp://ftp.isi.edu/internet-drafts/draft-ietf-syslog-reliable-12.txt> based
    on the COOKED profile, which places elements within the <entry>..</entry>
    tag. This allows one to piggyback on the benefits of syslog-reliable, while
    utilizing XML to handle the encoding of the log formats.  Or even extending
    the COOKED profile to allow for unformatted AND XML data between the <entry>
    and </entry> tags.
    
    --
    J. Gregory Wright
    Senior Software Engineer
    AT&T Information Security Center
    
    
    -----Original Message-----
    From: Corey Steele [mailto:CSteele@good-sam.com]
    Sent: Wednesday, August 15, 2001 9:19 AM
    To: edward.j.sargissonat_private; loganalysisat_private
    Subject: Re: [loganalysis] Logging standards and such
    
    
    Edward... 
    
    I was thinking about this too!  I think my motivation was slightly different
    (I'm currently researching IDS & Data Fusion theory, and this is one problem
    with the data fusion half of that field) but I think the desire for
    contiguous logging standards is valid!
    
    Is there other interest in this?  (Speak up!)
    
    -C
    
    Corey J. Steele, Security Analyst
    Good Samaritan Society
    e-mail: csteele@good-sam.com
    voice: (605) 362-3899
    
    
    >>> <edward.j.sargissonat_private> 08/13/01 05:17PM >>>
    I've been following the discussion of various logging standards, storage
    daemons and parsers.
    
    There appears to be a plethora of different log formats and a need to be
    able to monitor what is happening from a central points.
    However there doesn't seem to be a well-known common standard.
    
    Why don't we have a look at defining a common logging standard ourselves?
    We could then write little adaptors which hook into the custom formats and
    spit out our common standard. On top of that we can write standard parsing
    engines that can look at all the traffic and pass it through to standard
    interface tools (e.g. GUI or mail).
    
    I imagine there's enough talent here to do a good job.
    
    What do you think?
    
    Edward
    
    (I speak for myself and not my firm).
    ----------------------------------------------------------------
    The information transmitted is intended only for the person or entity to
    which it is addressed and may contain confidential and/or privileged
    material.  Any review, retransmission, dissemination or other use of, or
    taking of any action in reliance upon, this information by persons or
    entities other than the intended recipient is prohibited.   If you received
    this in error, please contact the sender and delete the material from any
    computer.
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private 
    For additional commands, e-mail: loganalysis-helpat_private 
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 15:44:24 PDT