Re: [loganalysis] Logging standards and such

From: Matthew Collins (pinguat_private)
Date: Fri Aug 17 2001 - 05:23:21 PDT

Next message: Andrew Stribblehill: "Re: [loganalysis] Logging standards and such"

Previous message: Wright, Joseph G (Gregory), GOVMK: "RE: [loganalysis] Logging standards and such"
In reply to: Michiel van der Kraats: "Re: [loganalysis] Logging standards and such"
Next in thread: Rebecca Kastl: "Re: [loganalysis] Logging standards and such"
Next in thread: edward.j.sargissonat_private: "Re: [loganalysis] Logging standards and such"
Reply: Rebecca Kastl: "Re: [loganalysis] Logging standards and such"
Reply: Michiel van der Kraats: "Re: [loganalysis] Logging standards and such"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 15, 2001 at 12:21:10AM +0200, Michiel van der Kraats wrote:
> edward.j.sargissonat_private wrote:
> > 
> > Why don't we have a look at defining a common logging standard ourselves?
> > We could then write little adaptors which hook into the custom formats and
> > spit out our common standard. On top of that we can write standard parsing
> > engines that can look at all the traffic and pass it through to standard
> > interface tools (e.g. GUI or mail).
> >
> > What do you think?
> >
> 

I'm hijacking this thread and starting from the beginning again ;)

what sort of information are folks intereted in? We do a lot of
stuff here with logging and have quite byzantine in house systems
for some of it.

I would think, off the top of my head, the following information
is required to be present *and verifiable*...

transit path:     how this message got where it is. In secure environments
		having several stages of log relay or processing can be
		not uncommon.
content sum:	originator generated sum of all source content
originator:       source of log; application that generated it
type:		almost arbitary; analogous to the existing facility?
importance:	analogous to the existing level?
etime:		time of event
mtime:		time of message
subject:	the "subject" of the event; source system? user? network segment?
subject type?:
human message:	messahe

Thats a very rough off the top of my head attempt at header details. Would
you then want to try and standardise your "human messagE" section into
further subheaders , such as one relating to network traffic including
protocol, source, destination, etc details? One relating to application
failures? 

Do we want to provide a standardised framework for the log message such that
it becomes, in effect, a machine parsable protocol similar to TCP/IP as
far as possible?

How importance is backword compatibility with existing syslog implementations?

Existing *applications* utilising syslog? Does this have to be native or
can a "repeated" program that listens to the syslog socket and reformats
known pattern messages into the new system be used?

Just pondering out loud ;)

Matt

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Andrew Stribblehill: "Re: [loganalysis] Logging standards and such"
Previous message: Wright, Joseph G (Gregory), GOVMK: "RE: [loganalysis] Logging standards and such"
In reply to: Michiel van der Kraats: "Re: [loganalysis] Logging standards and such"
Next in thread: Rebecca Kastl: "Re: [loganalysis] Logging standards and such"
Next in thread: edward.j.sargissonat_private: "Re: [loganalysis] Logging standards and such"
Reply: Rebecca Kastl: "Re: [loganalysis] Logging standards and such"
Reply: Michiel van der Kraats: "Re: [loganalysis] Logging standards and such"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 08:55:21 PDT