Re: [logs] Syslog payload format

• Previous message: Kyle R. Hofmann: "Re: [logs] Syslog payload format"
• In reply to: Rainer Gerhards: "[logs] Syslog payload format"
• Next in thread: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Next in thread: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Reply: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Folks,

Random thoughts / open questions:


Why type tagging?  Even if I tag something as "integer" or 
"ipv4 address", it really doesn't help a log parser if it 
doesn't know its meaning.


Why such focus on local host events?  - Think firewalls and other 
network equipment.

I'm a bit worried about the "fixed naming" suggestions. Consider 
for instance IP addresses. In a firewall perspective, presenting
source and destination IP addresses makes sense. Perhaps like:
   srcip=1.2.3.4 destip=2.3.4.5

Sounds nice, eh?  But consider an event where we want to describe
a connection, and a packet travelling in the reverse direction:
  srcip=1.2.3.4 destip=2.3.4.5 srcip=1.2.3.4 destip=2.3.4.5

"oops". I won't add to the confusion by also describing both
ends of a dually NATed connection. Suffice to say that pretty
much any unit emitting log events will have to go beyond some
small set of "standard" events, which again means that any
form of automated log parser must know about these names.

But, then again, what value is an automated log analzyer if it
doesn't know what it's analzying?  Even if it was only presented
with known names, it'd still need _context_ in order to produce
something meaningful.



Oh, and something else: PLEASE, in the name of $deity! Not ASN.1,
mkay? :)  I've had the distinct displeasure of being involved in 
implementing both ASN.1 parsers and generators, and even though neither 
were affected by the bout of vulnerabilities that struck a while ago, 
I must say that I have no problem whatsoever understanding why all 
those holes came to be.  ASN.1 is just plain horrid from a programmer's 
point of view.


So, um, anyway, to sum up my ramblings above: what is the goal of
standardizing syslog payloads?  I can certainly understand why
anyone doing log analysis would want applications to emit some sort 
of sane output that is actually machine parseable rather than just 
random written english statements, but I fail to see the point in
enforcing the same set of rules to things as disparate as /bin/login 
and a router (?)


Bring it on! :)
/Mike

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Previous message: Kyle R. Hofmann: "Re: [logs] Syslog payload format"
• In reply to: Rainer Gerhards: "[logs] Syslog payload format"
• Next in thread: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Next in thread: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Reply: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:36:45 PST