On Mon, Dec 30, 2002 at 09:49:57PM -0800, Kohlenberg, Toby wrote: > :) > Well put. So, just off the top of my head, I'm generally interested in > all sorts of things: > >From the application perspective: > startup information (who it's running as, what configuration file > it is using, ports bound to, activity information (what it is doing > and for whom, the request it recieved that caused it to do something, > how it got the request (command line? network?), what the actual > request was (if it applies)... > shutdown information (how it was shutdown, what if anything that was left > unfinished when it shutdown, why it shutdown) The problem is with 'activity information'. Both startup and shutdown information is quite easy to standardize on. But activity is not. Events have a completely different space for our applications, so picking common tag names is difficult. A transaction is completely different for an MTA, a packet filter and a proxy firewall. > > from the OS perspective: > all the typical accounting information plus: > who a process ran as, who started it, how long it ran, what > files it interacted with (and what it did/tried to do to each of them), > what networking things it did (ports it used, addresses it used, > amount of traffic sent/received). Would you log this information when the process terminated or also during its lifetime? What about programs which run indefinitely? > > Also, I want to be able to kick up the level of granularity as needed > (ideally maybe automatically if certain events are seen) and go from > a list of files a process touched/tried to touch, to what it > did to them, to the actual system calls made..... IMHO the granularity should be controlled by the application not the logging subsystem. Letting the application log *everything* and filter at the logging subsystem will cause severe performance loss. So I would not put effort into standardizing how application logging granularity is controlled. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 15:16:51 PST