On Tue, Dec 17, 2002 at 01:00:02PM -0500, Bennett Todd wrote:
> Beyond that, the next two whitespace-delimited fields are pretty
> widely agreed on; the second is the hostname, and the third is
> program[pid]:. After that comes free text.
There is other information you're missing out there. What about the facility
and priority tags? I know that the syslog server itself "sees" those tags,
but are we meant to go out-of-band to find that out ourselves when dealing
with syslog records? As it is, most people do the equivalent of
mail.* /var/log/maillog
- so you know it's facility==mail, but you have no idea from the contents
what priority it is...
hell, I do
*.* -/var/log/messages
I get around this with syslog-ng. Currently our syslog entries are created
via:
template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n")
so that I get records like:
2002-12-18T02:16:03+0000 pix_rtr local4 warning %PIX-4-106023:
Deny udp src outside:6.6.7.8/39854 dst dmz1:1.2.3.4/32775 by
access-group \"internet-to-dmz1\"
Oh yeah - and a LOT of records have no concept of pid...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:02:08 PST