Now that I've read through all the messages in this thread that I've received (thus far), I'm going to put my $0.02 in :-) First, I think that there's a cart-and-horse problem here. On the one hand, there's some discussion going on about what to log and on the other hand, there's some discussion going on on how to log it. The simple fact is, until you know what you're going to log, having a big, drawn out debate about the benefits of XML vs. whatever style or what timestamp formatting options are premature. In my view, the first level of consensus that needs to be reached is on what needs to be logged, particularly since that decision will most likely dictate the formatting and the toolset involved in how it gets logged in the back-end. Now, as for what to be logged. There are a number of obvious (to me, at least ;-) things that need to be recorded. - log signals received (kill -HUP, kill -KILL, etc.) before terminating - log startup and shutdown - be able to log all successful and failures of user interaction. This includes packet filters on firewalls - log every time an error occurs (I tried to write to disk, but disk was full) - if requested, be able to record performance counters (memory usage, network usage, etc.) on configurable schedule From a security perspective (which is where I come from), failure logs should include userids, IP addresses, timestamps, and full paths. A number of the posts so far have been along the lines of "who would write a 1500 byte syslog?", but, as a security guy, I'm constantly frustrated by the lack of sufficient information in an event log message. If you're going to log that a security event occurred, give me all the pertinent data. Timestamps. I've experimented with setting all our systems to GMT and it befuddled my poor little mind :-) While a properly tuned and integrated logging and display system would (probably) take into account both the time zone of the viewer and the logging systems, but this can lead to quite a bit of confusion in a global company. In the end, I gave up on the project and just set every system to its local time due to the lack of the viewer with the built-in converter that could switch time display from server-local to viewer-local to arbitrary-normalized (i.e. world headquarters). As I said before, the whole religious debate of XML vs. roll-your-own is simply mental masturbation. Until we've solved the fundamental problem of WHAT we're logging, it doesn't make any sense at all to try to figure out HOW we're going to log it. Now, back to the woodwork for me :-) Jon _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 10:37:37 PDT