Hello Andrew and all,
>Create an open source parser/converter that takes current vendor
>messages and converts them into the new "standard" tokenized format. A
Well, you are aware how huge the task is, aren't you? And how boring
(=likely unsuitable for community development) large parts of it are?
Especially the maintaining and updating part. I guess you have a rough
estimate of how many different messages are produced by all modern fw,
ids, vpns, hosts, misc security appliances etc...
>database of conversion scripts (using RegExp or other tools) could be
>maintained by the user community and vendors. As new syslog enabled
Hmmm, by vendors? What is the benefit for an individual security product
vendor in doing this?
>devices are made available, the vendors would offer the new standard
>tokenized format instead.
That is an example of fixing what works - so, again, how would you
motivate vendors to move to a "new" syslog devices?
>The WELF (Webtrends extended logging format) is a good start, but it
>only has tokens for firewall type messages.
Well, the main challenge here seems to be developing the format that can
equally effectively accomodate various devices, not just firewalls...
Overall, cool idea, but reeeeally hard to implement.
Best,
--
Anton A. Chuvakin, Ph.D., GCIA
http://www.chuvakin.org
http://www.info-secure.org
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
https://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 09:34:50 PDT