On Tue, 2002-12-31 at 15:11, Tina Bird wrote: > And (reiterates the moderator, who's getting tired of slogging this dead > horse)... > > I still maintain that it's pointless to worry about how to format the > messages or transport the messages until you've got at least >some< > guidance about what kinds of information (or events) ought to be recorded > in the first place! > Anything and everything! sigh... We log things for lots of reasons: 1/ to provide audit trails of who did what and when. 2/ to provide background information about the state of the world (eg. resource usage). 3/ to record unusual or potentially damaging events. 4/ to record program malfunction or invalid input 5/ to provide debugging information 6/ to provide a record on all events in some domain (eg. argus IP audit tool). the list just goes on and on. Even within one system what you log will depend on your particular interest and how much you a willing to pay to record the information. That said all applications do have some needs in common: 1/ startup and shutdown info 2/ configuration changes 3/ abnormal program condition 4/ abnormal input 5/ resource usage 6/ resource exhaustion ( covered by 3?) ...... for transaction based system 1/ source of transaction 2/ authentication information 3/ transaction details 4/ completion code .... How comprehensive a list do you want to come up with Tina? I have this idea of something no longer that a couple of pages of text (including a brief introduction) which lists some of the key things to be logged and why. Is this what you have in mind? I'm not sure if a mailing list is the right tool to to this sort of thing. We need some sort of collaborative tool that will allow people to add things to lists, preferably something driven through a browser. I think this is at least one reason why Tina is not getting much response to her prompting to address this fundamental issue. Any ideas? This is the sort of thing that is best done face to face in a room with a *big* whiteboard (and lots of beer and pizza!). LISA bof would seem like a good venue - pity I wouldn't be able to make it! -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:11:05 PST