IN an earlier message, I mentioned that I've been keeping logs for a while. I said I'd kept "every log message". Marcus was kind enough to point out (privately) that I'd really only kept every one that I hadn't lost, due to the joys of UDP. Yup, welve lost a few over the years, I bet. And that gets back to the reason that some kind of interoperable, "standard" reliable audit record trasnport is "still" important. <soapbox> Yes, we need to fix the borken free-not-form so-called excuses for log record formats that we've lived with for almost 30 years. But we also needed the infrastructure to ensure that our "new format" records would actually get somewhere. And we need to ensure that the generate/transport/analyze work process chain has "enough" integrity that the records can be admitted as evidence. And we need some better ways for applications to create those audit records, such as the new APIs that have been alluded to by others. And all of those things will make the analysis job easier, or guide our analysis work process. So new we have at least one "standard" for "safe transport". We need to get that deployed. That *helps* provide the integrity of the transport part of the work process chain. Next, we figure out *what* should be in a record, and when they should be generated. This was pointed out at least 3-4 weeks ago. Every time we start looking at content, we keep getting bogged down on message *format* (syntax), not message content and meaning (semantics). The sematics will be guided by what we need in order to do an analysis, AND what we think we need to make the logs acceptable as evidence. </soapbox> Sorry, I get overly verbose when my brain is melted from reading student papers. My questions: 1) is RFC 3195 (syslog-reliable) so broken that we shold punt and spend another few years trying to write YALS (yet another log standard), or do we just go with it and plan to do a version 2 protocol eventually? 2) If (1) has solved the transport+integrity problem, then its on to the semantic questions: When and what do we log? What is an "event"? We started down this road last month?, but got sidetracked (again) on sytax (fixed fields vs attribute/value pairs, and what about XML, etc.). 3) Once we get (2), THEN we can start to worry about the syntax. Does this make sense, or should I down another shot of Chinaco Anejo and grade some more papers? -- Tom E. Perrine <tepat_private> | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 22:40:40 PST