Re: Re[2]: [logs] Logging: World Domination

• Previous message: Chris Adams: "Re: Re[2]: [logs] Logging: World Domination"
• In reply to: Ogle Ron (Rennes): "RE: Re[2]: [logs] Logging: World Domination"
• Next in thread: Ogle Ron (Rennes): "RE: Re[2]: [logs] Logging: World Domination"
• Next in thread: Andrew Ross: "RE: [logs] Logging: World Domination"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday, August 22, 2002, at 01:49 , Ogle Ron (Rennes) wrote:
> As for the 64k, who knows, don't you remember when the
> average mail message was less than 10KB?

Network, processor and disk capacity have all increased significantly 
since then. I'll gladly trade some of the increase if makes the 
complexity more manageable.

> But in reality, I really don't want my UDP messages going over 1500 
> bytes to keep them from fragmenting on the Ether and taking up extra 
> time on a busy network (not all of us have gigabit ether yet).

All of the modern syslog implementations support TCP; it would be absurd 
to build a new format and use an unreliable, less efficient transport 
mechanism (plus we can compress it which will result in less network 
traffic for large messages). If it's UDP, it's the old format and this 
doesn't apply.

In any case, even if we were sending it over UDP it wouldn't matter 
much. How many 1200+ byte syslog messages do you get? We haven't 
received one on our central syslog server in the last few weeks of logs 
I just checked.

> Who says that everything has to look alike?  I know that my sendmail 
> logs
> are very well defined, and my firewall logs, and my dns logs, and my OS
> error messages, and my web logs, and my ...  This doesn't mean that my
> sendmail logs look like my firewall logs nor do they have very much in
> common and none of the data is free style format.

Time spent writing parsers is wasted. Anything we can do which will 
minimize the amount of time people spend dealing with data formats and 
free up time for them to spend doing analysis is a win.

Most of the benefits apply mostly to large networks. If you need to get 
some sendmail stats for a single box, you could do that with a simple 
shell script. A standard log format becomes handy when you need to 
collect stats from multiple sendmail, exim, postfix, IMail and NTMail 
servers floating around various departments and don't want to spend your 
time figuring out the oddities in the way they record certain things.

Chris

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
https://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Kyle R. Hofmann: "Re: Re[2]: [logs] Logging: World Domination"
• Previous message: Chris Adams: "Re: Re[2]: [logs] Logging: World Domination"
• In reply to: Ogle Ron (Rennes): "RE: Re[2]: [logs] Logging: World Domination"
• Next in thread: Ogle Ron (Rennes): "RE: Re[2]: [logs] Logging: World Domination"
• Next in thread: Andrew Ross: "RE: [logs] Logging: World Domination"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 18:27:50 PDT