Adam, thanks for your comment - I think my wording was misleading. This is what I said: > > BTW, does log analysis have to be only on syslogs? How about > > output from > > applications (Oracle database log, binary logs, ...)? > > I strongly think: NO! actually, that was supposed to be: > > BTW, does log analysis have to be only on syslogs? > > I strongly think: NO! That means I agree with you that syslog is basically text based logs. However, this, in turn, is already an abstraction, for example it leaves out the binary logs mentioned in the comment above. There are three primary reasons why I focus on syslog first: #1 if you do syslog right, you probably have managed to take care of the rest of the text based logs PLUS all logs that can be converted to text/syslog (which means all) #2 there is a lively community taking care of syslog log analysis, so it is a bit easier to get comments (at least I hope) than if I'd tackle all types of log in the first palace #3 limiting the data on syslog reliefs you on ways to gather logs centrally and such, so you can rule out that part of the picture. I think is is a particular important reason to focus on syslog first. I hope this clarifies. Rainer > -----Original Message----- > From: Safier, Adam * [mailto:Safier@private] > Sent: Monday, March 15, 2004 4:20 PM > To: Rainer Gerhards; Safier, Adam *; loganalysis@private > Subject: RE: [logs] Log Samples Requested > > I will display my ignorance again by asking "What makes > Syslog unique and > different from other text based log files?" > > I understand it is the traditional system log file for UNIX > systems. I > "assume" that when anything writes to Syslog a date and time stamp is > automatically inserted. I also "assume" that you are writing > to a process > and not simply appending to a text file. However, it seems > that almost any > text can be written to Syslog by any application. Are there > formatting > rules? > > Sorry for being lazy at this time and asking instead of researching. > Hopefully next month I will get on a task capturing Oracle > logs and putting > them through some sort of analyzer for key security events. Alas, all > systems are Windows so no native Syslog. > > Adam > > -----Original Message----- > From: Rainer Gerhards [mailto:rgerhards@private] > Sent: Monday, March 15, 2004 4:45 AM > To: Safier, Adam *; loganalysis@private > Subject: RE: [logs] Log Samples Requested > > > > BTW, does log analysis have to be only on syslogs? How about > > output from > > applications (Oracle database log, binary logs, ...)? > > I strongly think: NO! But I think it is sufficient to > initially look at > syslog, only. Even with current technology, you can > "convert"/relay/transport (whichever term you like) may other > logs (text > files, serial devices, database content, to some extent > binary data) to > syslog data. However, focussing on syslog gives you at least > some common > properties, like that you deal with a stream of non-binary characters, > which simplifies some parts of the analysis. I think *if* we tackle > syslog analysis sufficiently well (and we are far from that), we can > also tackle other log sources by simply applying the right > pre-processor. At least this is my current state of thinking... > > Rainer > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Mar 15 2004 - 10:09:39 PST