Re: [logs] Syslog payload format

From: wolfgangat_private
Date: Tue Jan 14 2003 - 08:45:55 PST

  • Next message: Ogle Ron (Rennes): "RE: [logs] Syslog payload format"

    Ogle Ron (Rennes) wrote:
    > > From: Bennett Todd [mailto:betat_private]
    > [..]
    > > But there's one big downside to the current approach: it makes no
    > > attempt to (a) precisely and unambiguously preserve as much
    > > information as possible from the logging source, and (b) attempt to
    > > offer developers a rich and comprehensive lexicon for classifying
    > > log events.
    
    > I know there are some problems with syslog (timestamp and udp), but you guys
    > are throwing the baby out with the bath water, and I had to say something.
    > There is nothing in the current syslog that prevents me from being precise
    > or ambiguous.  I also understand on trying to formalize some higher level
    > constructs, but the price is simplicity and ease of use.
    
    > > These two defects are important and costly ways that current syslog,
    > > mostly in the API, is inadequate; it's not capturing all the
    > > knowlege that's available at the point of logging, and not all of
    > > what it doesn't capture can be reconstructed robustly. It's lossy at
    > > the logging API as well as the transport.
    
    > No matter if it's the OS or the application, a developer has to write the
    > calls to put the data out there.  If he/she isn't doing it with the current
    > syslog, do you really believe he/she will do it when they have to look up
    > all of this data to know which appropriate log event to throw out?  The
    > lossiness is due to the fact that the developer didn't care about giving any
    > more details.
    
    The point is that the developer can not put the data out there with the
    current syslog. At least not in a way that a log analysis tool written
    by a third party can identify it. The developer might e.g. log the host
    name of a host trying to connect to the application, but my log analysis
    tool has no way to identify that part of the log message as a host name
    without prior knowledge of the message formats generated by this particular
    application. And that is one of the things we want to change.
    
    -- 
    Wolfgang Zenker                                  Mail: W.Zenkerat_private
    JPAVES Unix Online GmbH                          Fon:  (+49) 721 / 955 40 60
    Kaiserallee 87                                   Fax:  (+49) 721 / 955 40 62
    D-76185 Karlsruhe                                Web:  www.jpaves.com
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 10:26:37 PST