> 1) is RFC 3195 (syslog-reliable) so broken that we shold punt and > spend another few years trying to write YALS (yet another log > standard), or do we just go with it and plan to do a version 2 > protocol eventually? Personally I don't think 3195 is broken (all depends what you think of BEEP), so onto (2)... > 2) If (1) has solved the transport+integrity problem, then its on to > the semantic questions: When and what do we log? What is an > "event"? We started down this road last month?, but got > sidetracked (again) on sytax (fixed fields vs attribute/value > pairs, and what about XML, etc.). ...I think the biggest hurdle here is to unambiguously identify events in a machine-readable way, some kind of ID or namespace(s?) for events. I'm not talking about the contents or details of the event, but some kind of name or number that answers the most basic question, which is "what happened?", or if you prefer "what event or type of event is this?". This kind of information would make things like event routing much easier, as well as facilitating signature recognition and several other nice features. In fact without it it's tough to do anything. There are loads of issues with it though - do IDs need to be globally unique? Is there a need for hierarchical IDs to enable event subclassing? Does it need ID/name translation between different ID/name spaces? Some kind of IANA-like registration of event IDs? What about current apps that don't have any concept of event ID? etc. Cheers, Frank _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sun Dec 15 2002 - 11:31:15 PST