Re: [logs] Syslog payload format

From: Russell Fulton (r.fultonat_private)
Date: Thu Jan 02 2003 - 17:36:15 PST

  • Next message: Balazs Scheidler: "Re: [logs] Syslog payload format"

    On Tue, 2002-12-31 at 15:11, Tina Bird wrote:
    > And (reiterates the moderator, who's getting tired of slogging this dead
    > horse)...
    > I still maintain that it's pointless to worry about how to format the
    > messages or transport the messages until you've got at least >some<
    > guidance about what kinds of information (or events) ought to be recorded
    > in the first place!
    Anything and everything!  sigh...
    We log things for lots of reasons:
    1/ to provide audit trails of who did what and when.
    2/ to provide background information about the state of the world (eg. 
    resource usage).
    3/ to record unusual or potentially damaging events.
    4/ to record program malfunction or invalid input
    5/ to provide debugging information
    6/ to provide a record on all events in some domain (eg. argus IP audit
    the list just goes on and on.
    Even within one system what you log will depend on your particular
    interest and how much you a willing to pay to record the information.  
    That said all applications do have some needs in common:
    1/ startup and shutdown info
    2/ configuration changes
    3/ abnormal program condition
    4/ abnormal input
    5/ resource usage
    6/ resource exhaustion ( covered by 3?)
    for transaction based system 
    1/ source of transaction
    2/ authentication information
    3/ transaction details
    4/ completion code
    How comprehensive a list do you want to come up with Tina?  I have this
    idea of something no longer that a couple of pages of text (including a
    brief introduction) which lists some of the key things to be logged and
    why.  Is this what you have in mind?
    I'm not sure if a mailing list is the right tool to to this sort of
    thing.  We need some sort of collaborative tool that will allow people
    to add things to lists, preferably something driven through a browser. 
    I think this is at least one reason why Tina is not getting much
    response to her prompting to address this fundamental issue.
    Any ideas?
    This is the sort of thing that is best done face to face in a room with
    a *big* whiteboard (and lots of beer and pizza!).  LISA bof would seem
    like a good venue - pity I wouldn't be able to make it!
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    "It aint necessarily so"  - Gershwin
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:11:05 PST