On Thu, Aug 16, 2001 at 09:51:18AM -0500, Tina Bird wrote: > The main difficulty I see with data formats in log > messages is that they might turn into MIBs. Funny, I've been thinking the same thing. ASN.1 and snmp-trap is a lot harder to deal with than syslog is. > So maybe we could reach consensus on the categories of > events that fall into different syslog priorities, for > a start? My local syslog.h file has the following comments: /* * priorities (these are ordered) */ #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ Sounds good to me. :) Regarding data formats, what I would find useful is a descriptive rather than a prescriptive list of what syslog messages are actually out there. Ie.: named-xfer: send AXFR query 0 to ($ip_pat) named: unrelated additional info \'($host_pat)\' type A from \[($ip_pat)\]\.($port_pat) named.*Err/TO getting serial# for "($zone_pat)" sshd: Could not reverse map address ($ip_pat)\. sshd: Did not receive ident string from ($ip_pat)\. Etc. Once what is out there is well-described, automating some translation process for a particular set of logs should be pretty easy. Although normalization might still be tricky. For example, logs from two different pop3 daemons include different information. If you normalize, you may end up with a lowest common denominator scenario. - Morty --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 11:33:32 PDT