RE: [logs] idea: let's scare ourselves...

• Previous message: Stephen P. Berry: "Re: [logs] Visual Event Analysis WAS: most popular reports...?"
• In reply to: Moehrke, John (MED, GEMS-IT): "RE: [logs] idea: let's scare ourselves..."
• Next in thread: Marcus J. Ranum: "RE: [logs] idea: let's scare ourselves..."
• Reply: Marcus J. Ranum: "RE: [logs] idea: let's scare ourselves..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, 2004-08-23 at 13:49, Moehrke, John (MED, GEMS-IT) wrote:
>  
> >-----Original Message-----
> >From: loganalysis-bounces+john.moehrke=med.ge.com@private 
> >[mailto:loganalysis-bounces+john.moehrke=med.ge.com@private] On
> Behalf Of
> >Rainer Gerhards
> >Sent: Monday, August 16, 2004 10:34 AM
> >To: Marcus J. Ranum; Darren Reed
> >Cc: loganalysis@private
> >Subject: RE: [logs] idea: let's scare ourselves...
> >
> <SNIP>
> >One final thought. We, the real "log guys" found that IETF efforts are
> >bad and should be ignored. Those poor (unknowing) outside guys do not
> >know it. For example, the healthcare  industry is obviously
> >standardizing on BEEP-based syslog. Might it be that the "outsiders"
> >simply assume that a standard is good? Might it be smart to let them
> >know if we have really good arguments against this...
> >
> 
> When you mention "the healthcare industry", I assume you are pointing at
> the IHE (Integrating the Healthcare Enterprise) efforts. I am one of the
> three main drivers of that effort within the IHE and I will tell you
> that we _are_ the "poor (unknowing) outsider guys". We have tried using
> getting insiders to review, comment, and direct our efforts but have
> been met with ZERO response. We look at BSD syslog and "feel" that it's
> limits are unacceptable. We look around for other standards and find
> only BEEP-based syslog. Thus we have no choice but to point at it. We
> don't like it for the same reasons that have been pointed out. But we
> have no choice but to point at standards.  
> 
> We would love to hear that there is something between BSD syslog, and
> BEEP-syslog. Now would be a good time to get comments on our efforts.
> You can find our profile for "Audit Trail and Node Authentication" at
> http://www.himss.org/ihe

There's something in-between: using the BSD syslog protocol on the top
of TCP, with some slight changes:

* due to the stream nature of TCP, messages are not packet, but line
terminated (UNIX newline or NUL characters are acceptable line
terminators)
* lines are not necessarily limited to 1024 characters

This protocol is used by Cisco PIXes, is implemented by syslog-ng and
some other products as well.

-- 
Bazsi


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Stephen P. Berry: "Re: [logs] Visual Event Analysis WAS: most popular reports...?"
• In reply to: Moehrke, John (MED, GEMS-IT): "RE: [logs] idea: let's scare ourselves..."
• Next in thread: Marcus J. Ranum: "RE: [logs] idea: let's scare ourselves..."
• Reply: Marcus J. Ranum: "RE: [logs] idea: let's scare ourselves..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Aug 24 2004 - 07:05:37 PDT