Re: [logs] Syslog payload format

From: Mikael Olsson (mikael.olssonat_private)
Date: Fri Dec 20 2002 - 11:19:43 PST

  • Next message: Rainer Gerhards: "RE: [logs] Syslog payload format"

    Folks,
    
    Random thoughts / open questions:
    
    
    Why type tagging?  Even if I tag something as "integer" or 
    "ipv4 address", it really doesn't help a log parser if it 
    doesn't know its meaning.
    
    
    Why such focus on local host events?  - Think firewalls and other 
    network equipment.
    
    I'm a bit worried about the "fixed naming" suggestions. Consider 
    for instance IP addresses. In a firewall perspective, presenting
    source and destination IP addresses makes sense. Perhaps like:
       srcip=1.2.3.4 destip=2.3.4.5
    
    Sounds nice, eh?  But consider an event where we want to describe
    a connection, and a packet travelling in the reverse direction:
      srcip=1.2.3.4 destip=2.3.4.5 srcip=1.2.3.4 destip=2.3.4.5
    
    "oops". I won't add to the confusion by also describing both
    ends of a dually NATed connection. Suffice to say that pretty
    much any unit emitting log events will have to go beyond some
    small set of "standard" events, which again means that any
    form of automated log parser must know about these names.
    
    But, then again, what value is an automated log analzyer if it
    doesn't know what it's analzying?  Even if it was only presented
    with known names, it'd still need _context_ in order to produce
    something meaningful.
    
    
    
    Oh, and something else: PLEASE, in the name of $deity! Not ASN.1,
    mkay? :)  I've had the distinct displeasure of being involved in 
    implementing both ASN.1 parsers and generators, and even though neither 
    were affected by the bout of vulnerabilities that struck a while ago, 
    I must say that I have no problem whatsoever understanding why all 
    those holes came to be.  ASN.1 is just plain horrid from a programmer's 
    point of view.
    
    
    So, um, anyway, to sum up my ramblings above: what is the goal of
    standardizing syslog payloads?  I can certainly understand why
    anyone doing log analysis would want applications to emit some sort 
    of sane output that is actually machine parseable rather than just 
    random written english statements, but I fail to see the point in
    enforcing the same set of rules to things as disparate as /bin/login 
    and a router (?)
    
    
    Bring it on! :)
    /Mike
    
    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:36:45 PST