Re: [logs] Secure Central Log Host

• Previous message: Tina Bird: "[logs] writing syslog parsers"
• In reply to: Florin Andrei: "Re: [logs] Secure Central Log Host"
• Next in thread: Matt Bing: "Re: [logs] Secure Central Log Host"
• Reply: Matt Bing: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Tue, 2002-12-03 at 09:37, Marcus J. Ranum wrote:
>> Jason Royes wrote:
>> >Databases (w/ good schema) excel when complex
>> >analysis is required.
>>
>> Databases also require index inserts, support for transaction
>> rollback, and all kinda crazy stuff that makes them completely
>> unsuitable as logging systems. We (the collective unconscious "we")
>> keep using them, though, because they're available and can be
>> made to suit the purpose by throwing a bunch of hardware at the
>> problem - which is cheaper, really, than understanding the problem

I don't think the problem is understanding as much as it is
integration and administration. Using a typical RDBMS has it's advantages:

  - It is easier to administer a single database system.
  - No need to integrate ranumdb with an SQL backend
  - Less learning required for log monkeys and developers
  - Generate reports with SQL aware tools
  - Large number of SQL ready packages exist
  - Moore's law consoles the bloat

For ex., what happens when you want your inventory database to be factored
into threat analysis?
>
> There's also the convenience of having programming interfaces to them
> in your other tools of choice, like PHP, Perl, etc.
> (also read below)
>
>> lot of simplifying assumptions you can make about logs:
>>         - they are inserted in event-sequence
>>         - they are approximately clustered by time
>>         - you seldom (if ever) will need to seek back 20 minutes
>>                 and delete a single log record
>>         - the fields you'll want to search on are either bounded
>>                 fairly tightly (priority, source, time) or are
>>                 free-form (regexp or string fragment) - so you'll
>>                 either want a very compact primary index for
>>                 the bounded values and a patricia tree or inverted
>>                 index for the strings
>
> I like your analysis, and in fact it's pretty close to my own
> conclusions a while ago. But then, when deciding which tools i was
> going to use to implement a logging DB, guess what? It was the
> convenience of having an SQL programming interface in PHP that won the
> battle. :-)
>
> Now, sure, if you can afford the resources, coming up with your own
> thing is the best way. I guess that's not far from what Addamark did
> (although on a completely different scale).
>
>> mjr. ("once a database guy - always a database guy.")
>
> Yeah. :-)
>
> --
> Florin Andrei
>
> It's ok to use the names of your pets or children as passwords
> as long as they contain several non-alphanumeric characters.
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis


-- 
Jason Royes
Data Access Experts, LLC


_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Matt Bing: "Re: [logs] Secure Central Log Host"
• Previous message: Tina Bird: "[logs] writing syslog parsers"
• In reply to: Florin Andrei: "Re: [logs] Secure Central Log Host"
• Next in thread: Matt Bing: "Re: [logs] Secure Central Log Host"
• Reply: Matt Bing: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 09:29:01 PST