RE: [logs] Syslog payload format

From: Ogle Ron (Rennes) (ron.ogleat_private)
Date: Tue Jan 14 2003 - 09:36:35 PST

  • Next message: Frank O'Dwyer: "RE: [logs] Syslog payload format"

    I'll give you an example.  My apache web server sends out access logs that I
    roll right over into syslog.  (Actually it's syslog-ng because of the UDP
    issue.)  The format is straight forward, easy to parse, and low-overhead.
    Then on my log server side, my parsing and graphing tools make nice little
    pictures.
    
    The developers of Apache sent out to logs all of the meaningful data in the
    format that they see fit because it is how they see the data in a nice easy
    to carry package.  Syslog gives me the means to move it off the machine to a
    log server.  Nice and Efficient!  BTW, my Apache server didn't have to spend
    any time chunking/tagging the data.
    
    See if you guys/gals spent more time trying to figure out what you wanted an
    OS or application maker to provide you, then you could start to write
    standards like the W3C did for the data that you wanted.
    
    This is what I really mean about IP, TCP, UDP, etc.  Ethernet, IP, and TCP
    could care less what protocol is running on top of it.  Syslog should be the
    same way.  In essence, syslog puts a couple of specific data items up front
    and then gives you a bunch of free space.  Define the standards on top of
    syslog that are meaningful for the data collections in a way that are most
    appropriate for the way that the application generates the data.
    
    Nice, efficient, unobtrusive, and minimal.
    
    Ron Ogle
    Rennes, France
    
    > -----Original Message-----
    > From: Frank O'Dwyer [mailto:fodat_private]
    > Sent: Tuesday, January 14, 2003 05:45 PM
    > To: Ogle Ron (Rennes); loganalysisat_private
    > Subject: RE: [logs] Syslog payload format
    > 
    > 
    > Ron Ogle wrote:
    > > Like I said before, it would be
    > > amazing if Ethernet, IP, TCP, UDP, etc. would have survived 
    > you guys.  You
    > > can have all kinds of tools that can take this nice 
    > efficient log and show
    > > you pretty pictures later on the log server.
    > 
    > Nice? Efficient? You've got to be kidding!
    > 
    > If TCP/IP had been designed using the same principles as 
    > syslog, then there
    > would be no Internet and we would not be having this 
    > discussion, because:
    > 
    > * half the data would never show up
    > * the network address would be missing
    > * the IP address would be written in english as "please send 
    > this packet to
    > one-hundred-and-twenty"
    > * Or completely differently if the developer felt like it, or 
    > made a typo.
    > 
    > There are two kinds of simple - simple/elegant and 
    > simple/broken. Syslog is
    > a model example of the latter.
    > 
    > Cheers,
    > Frank
    > 
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 10:36:06 PST