"Marcus J. Ranum" wrote: > Darren Reed wrote: > >Would you like to see log records in XML ? (That's not a joke.) > > I carefully chose my words when I said "tokens" - I don't > think that with log messages you probably need nesting; that's > easily applied afterwards or by linking events on an event-ID. > So there's no big difference between: > <logmsg> > <srchost>iorek.ranum.com</srchost> > <targethost>silverserver</targethost> > <targetpath>http://www.ranum.com> > ... > </logmsg> > > and: > srchost=iorek.ranum.com > targethost=silverserver > targetpath= > ... > > The differences are only that in one case you have to escape > '<' '>' and in the other you have to escape '\n' - once the > data is compressed it's not even a space issue. > > Defining a dictionary of tokens is easy. Last time I tried, > Paul Robertson and I did it over lunch. So it couldn't take > the IETF more than 4 years or so... ;) The trick is making > things open-ended enough, avoiding typing, keeping it from > getting over-engineered, etc. > > What you do is define a small (Paul and I had, what, 20?) > shall I post it? set of tokens and instruct code-writers to > make as much sense of them as possible. If they have their own > tokens that are application-specific, they just use them. > It'd be a huge step forward. > > >i.e. the IETF (amongst others) long neglected this area and is only > >just getting around to formally documenting syslog and some trivial > >enhancements for that, so it would be way too soon to rule out further > >progress that might quite likely define a logging protocol nothing > >like syslog (or any of the TCP syslog things) today. > > Logging protocols are easy. Getting everything to log in a sensible > dictionary of tokens requires touching every application. That's the > barn door/horse relationship I was referring to. ;) > > mjr. > --- > Marcus J. Ranum http://www.ranum.com > Computer and Communications Security mjrat_private > > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > https://lists.shmoo.com/mailman/listinfo/loganalysis If syslog is to provide a logging facility used by ALL applications then it's message format will also need to support logging binary data. XML could be used, but is probably a little bloated. Until a standard message format is agreed on, reliable parsing cannot take place. The format must also be completely extensible and structured. Some good required tokens would be: Time Host DeviceType (PIX, 2600, PC, Sparc, ...) Class (Firewall, IDS, Router, ...) AdvisedPriority (info, warn, crit) Jason Royes _______________________________________________ LogAnalysis mailing list LogAnalysisat_private https://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 12:13:45 PDT