Re: [logs] Syslog payload format

From: Tina Bird (tbird@precision-guesswork.com)
Date: Wed Jan 01 2003 - 16:42:16 PST

  • Next message: Balazs Scheidler: "Re: [logs] Syslog payload format"

    <bits and pieces of previous messages deleted for brevity>:
    
    On Tue, 31 Dec 2002, Darren Reed wrote:
    
    > It occurred to me whilst out walking that there's a fundamental problem
    > here with us saying what we *want* to log and that is we have almost NO
    > control over what gets logged.  We can influence the how it gets logged
    > by plugging in a different API for syslog(3) and providing a new one but
    > I don't see it being easily within reach for influencing application
    > programmers.  MAYBE you could get some notice if an RFC was written up
    > as a BCP (Best Current Practise) on what's considered to be loging in
    > a useful manner and how much needs to be done for it to be useful.  Also,
    > what sort of applications should and should different classes of apps
    > provide log information differently, depending on xyz ?
    >
    Well said, Darrin, and part of what I've already been trying to do,
    without of course having the document written.  I've been on a personal
    crusade every time I run into developers on any of the big open source
    projects (or at least, Apache, OpenSSL and Snort, at the moment) to try to
    convince them to modify their code to generate a syslog message when the
    daemon is restarted with a configuration change.
    
    IANAD (I am not a developer) and as usual it's a much more complicated
    thing than I'd imagined, but since I don't yet have enough content to
    write that RFC it's the only thing I can think of to do.
    
    We've got an awful lot of people on this list who are in positions to be
    influential.  We just need to come to some sort of conclusion about what
    we want.
    
    > It sounds to me like you want to run all your applications in what would
    > be commonly called a "debug mode".
    >
    This sounds like overkill to me in most cases, unless you'd be doing
    process auditing anyhow.  I'm still stuck on things like config changes,
    restarts, reboots, use of admin privileges, new account creation, that
    sort of stuff.
    
    > Just out of curiosity, do you use sendmail and if so, do you make any
    > changes to the sendmail.cf for the purpose of more verbose logging ?
    > Does anyone else who uses sendmail (it's ok, you can admit to it, heck
    > I even *like* sendmail.cf >:-) make any changes to its standard log
    > level ?  That's the sendmail log level, not mail.foo in syslog.conf.
    
    I am not currently using sendmail.  But good point.  I should pester Eric
    and company about convincing it to log when its configuration changes.
    
    tbird
    
    ------------------------------------------------------------------
    Never express yourself more clearly than you think.  -- Niels Bohr
    
    http://www.shmoo.com/~tbird
    Log Analysis http://www.loganalysis.org
    VPN http://vpn.shmoo.com
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Jan 01 2003 - 20:06:17 PST