Tina Bird wrote: >1) What sort of state changes "should" applications and operating systems >log in the first place? --> A standard for programmers A right way to have done it would have been to have pre-defined certain tokens and had all the applications throw log messages in terms of those values. That would have gotten us around the whole blank-a-blank parsing/tokenizing/normalizing mess that the industry appears to be in today. Obviously, it's not possible to guess all the tokens that would be necessary, but just a step in the right direction would make a huge difference. Right now BSD syslog has a facility, priority, pid(sometimes) - why not add: targetpath, srcpath, srchost, desthost, etc? So you could crush URLs into srcpath if you're a logging browser and targetpath if you're a web server, etc. It still would mean that to parse things you'd have to branch on the app type and work from there, but at least the fields would already be somewhat tokenized out and pre-assigned. The way it's done now, with mostly free-form strings is a joke. And don't EVEN get me started on timestamps. Standardizing logging timestamp layouts is such an obvious requirement it isn't even funny... But these are changes that would require sweeping mods to all applications that log. The horse is probably out of the barn and into the clover on that issue. :( mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjrat_private _______________________________________________ LogAnalysis mailing list LogAnalysisat_private https://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 06:45:47 PDT