I'll give you an example. My apache web server sends out access logs that I roll right over into syslog. (Actually it's syslog-ng because of the UDP issue.) The format is straight forward, easy to parse, and low-overhead. Then on my log server side, my parsing and graphing tools make nice little pictures. The developers of Apache sent out to logs all of the meaningful data in the format that they see fit because it is how they see the data in a nice easy to carry package. Syslog gives me the means to move it off the machine to a log server. Nice and Efficient! BTW, my Apache server didn't have to spend any time chunking/tagging the data. See if you guys/gals spent more time trying to figure out what you wanted an OS or application maker to provide you, then you could start to write standards like the W3C did for the data that you wanted. This is what I really mean about IP, TCP, UDP, etc. Ethernet, IP, and TCP could care less what protocol is running on top of it. Syslog should be the same way. In essence, syslog puts a couple of specific data items up front and then gives you a bunch of free space. Define the standards on top of syslog that are meaningful for the data collections in a way that are most appropriate for the way that the application generates the data. Nice, efficient, unobtrusive, and minimal. Ron Ogle Rennes, France > -----Original Message----- > From: Frank O'Dwyer [mailto:fodat_private] > Sent: Tuesday, January 14, 2003 05:45 PM > To: Ogle Ron (Rennes); loganalysisat_private > Subject: RE: [logs] Syslog payload format > > > Ron Ogle wrote: > > Like I said before, it would be > > amazing if Ethernet, IP, TCP, UDP, etc. would have survived > you guys. You > > can have all kinds of tools that can take this nice > efficient log and show > > you pretty pictures later on the log server. > > Nice? Efficient? You've got to be kidding! > > If TCP/IP had been designed using the same principles as > syslog, then there > would be no Internet and we would not be having this > discussion, because: > > * half the data would never show up > * the network address would be missing > * the IP address would be written in english as "please send > this packet to > one-hundred-and-twenty" > * Or completely differently if the developer felt like it, or > made a typo. > > There are two kinds of simple - simple/elegant and > simple/broken. Syslog is > a model example of the latter. > > Cheers, > Frank > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 10:36:06 PST