Matthew Collins wrote: > >I'm hijacking this thread and starting from the beginning again ;) Fair enough. :-) > Thats a very rough off the top of my head attempt at header details. Would > you then want to try and standardise your "human messagE" section into > further subheaders , such as one relating to network traffic including > protocol, source, destination, etc details? One relating to application > failures? I would try to integrate with existing methods. For example, applications like Snort already use well-defined formats (I think there's even a DTD, ah yes, IDMEF). I think to make a more extensible logger, you'd want to leave 'human' message up to the application. (I mean of course, its content not log metadata). I think wat we need at the very least is a standardized description of the log entry metadata, where does this log come from, how does it affect life? Another goal should be that log data should be easy to collect and parse at a central loghost. There it can be sorted into differnt classes (or hierarchically host > facility > level > message )and perform your own local customizations. (for example, a plugin for snorts IDMEF). -- Michiel van der Kraats also pondering :-) --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 22:11:34 PDT