Tina Bird wrote: > [..] > What I'm trying to assemble is a list of the events on an individual > host/operating system, or an application, or across a network, that are > the most important for keeping things running smoothly. Or, the events > that define "normal behavior" for a host, an application or a network. > (They might not be the same lists.) > Sometimes I think I must be missing something really obvious. I don't > understand how to discuss a reasonable format for messages if I don't have > >some< idea of what sorts of information (values) and events I want those > messages to describe! > Back in the mists of time we'd assembled the start of a list of important > events (which at the time I introduced as "state changes" which launched > us into another couple of unrelated tangents). I have a start of a list > of "events that define normal" based on responses from students over the > years. > [..] Maybe we should set our goals even lower for a start: What I want to get out of my logs is information if a) any of my hosts or applications is not running smoothly (e.g. because of hardware problems or not enough resources) and if b) anyone is trying to do something that he should not. Problems of the a) type can usually be seen in a single log entry, the only thing an application programmer could do to make our lives easier is flag that message to mark it as "resource/hardware problem". To catch problems of the b) type I want to be able to collect statistics on the correlation between time, hosts and user ids so unusual values could raise an automatic alarm to start a manual investigation. I think there is only a limited number of things to log that are of a practical value for this kind of investigation. To name the ones I can think of right now: + Type of event: network connection, authentication event, application start/restart/shutdown, hardware/resource problem all of these in flavors (ok/failed) as applicable + User IDs + Host IDs additional information could be e.g. the role of src or dst host + protocol information e.g. port numbers, tcp/udp/icmp/what_ever + system error messages (e.g. errno and corresponding error string) In addition every log event should contain a clear text message for the human reader. I don't think we need to do much for application specific data, as any application specific logs will need their own specific log analyzing tools anyway. Let's concentrate on the non-specific events instead. -- Wolfgang Zenker Mail: W.Zenkerat_private JPAVES Unix Online GmbH Fon: (+49) 721 / 955 40 60 Kaiserallee 87 Fax: (+49) 721 / 955 40 62 D-76185 Karlsruhe Web: www.jpaves.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 08:16:00 PST