I will display my ignorance again by asking "What makes Syslog unique and different from other text based log files?" I understand it is the traditional system log file for UNIX systems. I "assume" that when anything writes to Syslog a date and time stamp is automatically inserted. I also "assume" that you are writing to a process and not simply appending to a text file. However, it seems that almost any text can be written to Syslog by any application. Are there formatting rules? Sorry for being lazy at this time and asking instead of researching. Hopefully next month I will get on a task capturing Oracle logs and putting them through some sort of analyzer for key security events. Alas, all systems are Windows so no native Syslog. Adam -----Original Message----- From: Rainer Gerhards [mailto:rgerhards@private] Sent: Monday, March 15, 2004 4:45 AM To: Safier, Adam *; loganalysis@private Subject: RE: [logs] Log Samples Requested > BTW, does log analysis have to be only on syslogs? How about > output from > applications (Oracle database log, binary logs, ...)? I strongly think: NO! But I think it is sufficient to initially look at syslog, only. Even with current technology, you can "convert"/relay/transport (whichever term you like) may other logs (text files, serial devices, database content, to some extent binary data) to syslog data. However, focussing on syslog gives you at least some common properties, like that you deal with a stream of non-binary characters, which simplifies some parts of the analysis. I think *if* we tackle syslog analysis sufficiently well (and we are far from that), we can also tackle other log sources by simply applying the right pre-processor. At least this is my current state of thinking... Rainer _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Mar 15 2004 - 10:06:50 PST