Rainer Gerhards wrote: >I agree it would be great to have a structured format (and I opt >nowadays for XML simply because everyone thinks it is easy ;)). But >there are some basic weaknesses in current syslog. For example, think on >using it in an occasionally connected network (e.g. radio connected >moving systems) - clearly there is need for some reliability in the >transport... Yes, Syslog UDP is incredibly unreliable. I posted some stuff in here about that last year... See: http://lists.shmoo.com/pipermail/loganalysis/2002-January/000412.html The relevant quote would be: > Some initial results: on an OpenBSD machine with 800Mhz CPU >and a bunch of memory syslogging one million records in a while loop >using the default UNIX domain socket results in a log file containing >468677 records - 46% or close to 1/2 the number sent. Drop-outs occurred >pretty much immediately: >Jan 29 16:03:19 hussar hammer[17461]: 138 >Jan 29 16:03:19 hussar hammer[17461]: 139 >Jan 29 16:03:19 hussar hammer[17461]: 1896 >Jan 29 16:03:19 hussar hammer[17461]: 1897 > >140 records into the session I lost 1700 or so messages. Perhaps this is >some kind of undocumented "compression" technique? ;-) So I'm not saying that the guys who are working on better syslog servers and server-to-server implementations are barking up the wrong tree. The current syslog implementation is crap that needs to be replaced. But so does the client side... With respect to XML and tokenizing, see: http://lists.shmoo.com/pipermail/loganalysis/2002-August/001089.html and http://www.ranum.com/logging/logging-data-map.html I'm not going to jump back on the whole XML issue other than to make my standard observation that markup is easy, semantics are hard, and XML is just markup. ;) >Sounds interesting - where to find? Who participated? Widely known? I'd >at least give it some more try. I'm somewhat hampered by a strong skepticism in the worth of standards committees and the standards process. :) Which makes me have a lot of trouble getting excited about wasting time with standards bodies. Basically, someone needs to just bite the bullet and "do it" which is highly problematic since it involves a huge amount of app-rewriting and the value only comes if EVERYONE does it. :( :( :( mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjrat_private _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 13:54:55 PST