Re: [logs] SDSC Secure Syslog

• Previous message: Christopher Lonvick: "Re: [logs] SDSC Secure Syslog"
• In reply to: Marcus J. Ranum: "RE: [logs] SDSC Secure Syslog"
• Next in thread: marc: "Re: [logs] SDSC Secure Syslog"
• Next in thread: Rainer Gerhards: "RE: [logs] SDSC Secure Syslog"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks much like WELF
(btw i am writing a tool that converts my application logs to WELF ;-)
Yep, perl and stuff.

On Wed, Dec 11, 2002 at 02:49:20PM -0500, Marcus J. Ranum wrote:
> 
> If we want to achieve "bang for the buck" in syslogging,
> we'd worry less about the transport and more about the
> contents of what is initially logged. Back a few months ago
> I posted a token dictionary that Paul Robertson and I worked
> up as part of the now-defunct Fargo project. Basically, the
> idea was to tag components of messages with significance and some
> rudimentary information intended to make them easier to parse
> on the backend. Nothing fancy, but more along the lines of:
> [GMT date/time][GMToffset] RAWMSG=string, IPSRC=blah, SEVERITY=foo,
> PATHNAME=blah, APPLICATION=sendmail
> etc.  The dictionary used need not be large, complex, or complete,
> but it'd make huge strides in the right direction because the
> rest of the parse rule could be MUCH more accurately matched based
> on the presence and content of the various tokens.
> 
> But to do this would entail visiting the source for EVERY APPLICATION
> that logs, and changing every line of code that generates logs.
> I just can't see that happening any time soon. :(  There are ways
> it could be made evolutionary:
> stick the raw syslog message string into field RAWMSG
> add APIs that let you cluster better info along with the syslog()
> function call and write a new wrapper, then try to get people to use
> it.

[dd]

> think about it for a second, it'd be harder to imagine a stupider
> way to go about doing logging - but that's where we're headed.

;-)
I know. But i decided to keep the legacy format.

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tom Perrine: "Re: [logs] Log archival"
• Previous message: Christopher Lonvick: "Re: [logs] SDSC Secure Syslog"
• In reply to: Marcus J. Ranum: "RE: [logs] SDSC Secure Syslog"
• Next in thread: marc: "Re: [logs] SDSC Secure Syslog"
• Next in thread: Rainer Gerhards: "RE: [logs] SDSC Secure Syslog"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 20:48:06 PST