RE: [logs] Syslog payload format

• Previous message: Ogle Ron (Rennes): "RE: [logs] Syslog payload format"
• Reply: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'll give you an example.  My apache web server sends out access logs that I
roll right over into syslog.  (Actually it's syslog-ng because of the UDP
issue.)  The format is straight forward, easy to parse, and low-overhead.
Then on my log server side, my parsing and graphing tools make nice little
pictures.

The developers of Apache sent out to logs all of the meaningful data in the
format that they see fit because it is how they see the data in a nice easy
to carry package.  Syslog gives me the means to move it off the machine to a
log server.  Nice and Efficient!  BTW, my Apache server didn't have to spend
any time chunking/tagging the data.

See if you guys/gals spent more time trying to figure out what you wanted an
OS or application maker to provide you, then you could start to write
standards like the W3C did for the data that you wanted.

This is what I really mean about IP, TCP, UDP, etc.  Ethernet, IP, and TCP
could care less what protocol is running on top of it.  Syslog should be the
same way.  In essence, syslog puts a couple of specific data items up front
and then gives you a bunch of free space.  Define the standards on top of
syslog that are meaningful for the data collections in a way that are most
appropriate for the way that the application generates the data.

Nice, efficient, unobtrusive, and minimal.

Ron Ogle
Rennes, France

> -----Original Message-----
> From: Frank O'Dwyer [mailto:fodat_private]
> Sent: Tuesday, January 14, 2003 05:45 PM
> To: Ogle Ron (Rennes); loganalysisat_private
> Subject: RE: [logs] Syslog payload format
> 
> 
> Ron Ogle wrote:
> > Like I said before, it would be
> > amazing if Ethernet, IP, TCP, UDP, etc. would have survived 
> you guys.  You
> > can have all kinds of tools that can take this nice 
> efficient log and show
> > you pretty pictures later on the log server.
> 
> Nice? Efficient? You've got to be kidding!
> 
> If TCP/IP had been designed using the same principles as 
> syslog, then there
> would be no Internet and we would not be having this 
> discussion, because:
> 
> * half the data would never show up
> * the network address would be missing
> * the IP address would be written in english as "please send 
> this packet to
> one-hundred-and-twenty"
> * Or completely differently if the developer felt like it, or 
> made a typo.
> 
> There are two kinds of simple - simple/elegant and 
> simple/broken. Syslog is
> a model example of the latter.
> 
> Cheers,
> Frank
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Previous message: Ogle Ron (Rennes): "RE: [logs] Syslog payload format"
• Reply: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 10:36:06 PST