Marcus, > Server syslog is, unfortunately, not the problem. :( It's > easy to roll-out arbitrarily goofy and complicated stuff in > the servers - let the standards guys worry about that - the > True Hell of Syslog is going to be in the client apps. Right > now, everything logs arbitrary strings. At the time, it > probably seemed like a good idea, and the most flexible > approach. Unfortunately, the ability to write arbitrary > untagged data has made syslog nearly useless and spawned an > industry of application-specific log parsing. That is why I not only talked about syslog but a "network event logging protcol". Basically, this already has been done with SNMP, but obviously the S in SNMP was not simple enough... The whole MIB thing is too complicated to reach a broad audience. I agree it would be great to have a structured format (and I opt nowadays for XML simply because everyone thinks it is easy ;)). But there are some basic weaknesses in current syslog. For example, think on using it in an occasionally connected network (e.g. radio connected moving systems) - clearly there is need for some reliability in the transport... > If we want to achieve "bang for the buck" in syslogging, > we'd worry less about the transport and more about the > contents of what is initially logged. Back a few months ago > I posted a token dictionary that Paul Robertson and I worked > up as part of the now-defunct Fargo project. Basically, the > idea was to tag components of messages with significance and > some rudimentary information intended to make them easier to > parse on the backend. Nothing fancy, but more along the lines > of: [GMT date/time][GMToffset] RAWMSG=string, IPSRC=blah, > SEVERITY=foo, PATHNAME=blah, APPLICATION=sendmail etc. The > dictionary used need not be large, complex, or complete, but > it'd make huge strides in the right direction because the > rest of the parse rule could be MUCH more accurately matched > based on the presence and content of the various tokens. Sounds interesting - where to find? Who participated? Widely known? I'd at least give it some more try. I have the impression that at least some implementors are on this list - why not asking for there support - anyone else out there? Based on some recent discussion I had with Chris Lonvik (spawned of this list), I think this would be a good thing to bring to the IETF syslog WG (forgive me if it's already there - at least I haven't seen it). Rainer Gerhards Adiscon _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 14:00:30 PST