RE: [logs] Syslog payload format

From: Marcus J. Ranum (mjrat_private)
Date: Tue Jan 14 2003 - 10:48:09 PST

  • Next message: Ogle Ron (Rennes): "RE: [logs] Syslog payload format"

    Ogle Ron (Rennes) wrote:
    >Nice and Efficient!  BTW, my Apache server didn't have to spend
    >any time chunking/tagging the data
    That's because Apache has a nice simple problem. Everything
    is tied to an IP address, a method, a version of HTTP, a
    document size and a return code. That's an _EASY_ problem
    and it makes for an easy solution.
    Secondly, web server software writers have the advantage of
    being able to see how awful a mess you can get when you
    don't have any kind of standards in the log format. Since
    web server log analysers want pretty much the same information
    you can use pretty much the same format (except for where
    they are incompatible, of course) - so the WC3 folks could
    look at syslog and see where it went wrong and avoid some
    of its mistakes.
    When you trivialize a problem by looking at a subset of it,
    it's really easy to criticize broader approaches as too
    complex. It's intellectually dishonest to do that, though,
    and doesn't add much to the discussion.
    Marcus J. Ranum
    Computer and Communications Security	mjrat_private
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 11:45:45 PST