So I've been thinking about that a little as well, from the POV of having a messaging/alerting framework. What sounds ideal to me is a single API for logging/messaging/whatever, which leverages messaging plugins and a rule file/UI to specify what types of messages go where. I don't want security alerts going to "generic" sysadmins. The plugins, then, define anything past log4j capabilities - SMS, SNMP, Prowl, what have you. (remedy? hehe)
A proper rules setup could allow escalation, notification windows…I suspect if there were hooks on the rules side more interesting things could come up... An argument could be made that an organization's existing monitoring/alerting system should handle this. Could probably counter it with the more info you supply to that monitoring system, the better. I don't want to hijack what Ram's up to if I'm going too far off on a tangent, here… :) John On Jan 3, 2013, at 10:42 AM, Chip Childers <[email protected]> wrote: > I think that Ram and Hari are talking about CloudStack system "events" > (call this set 1). The log4j conversation is around log messages being > sent through the logger (call this set 2). > > If we assume that (2) is a superset of (1), then IMO there is no > reason to do something different from the log4j syslog appender. On > the other hand, if there is a portion of set (1) that is not included > in set (2), then I actually think we have a logging problem to fix. > > On Thu, Jan 3, 2013 at 1:36 PM, John Kinsella <[email protected]> wrote: >> Ram - my coffee's still kicking in, but that's still not clear to me. Maybe >> you could put some sample logs in the wiki? Based off what you have there >> right now (IP, time stamp, message type, log level, log message) this comes >> already from the log4j appender. Sample output that I just set up by >> setting the syslog appender level to DEBUG and setting up my syslog daemon >> on the master to accept network traffic ("-r" flag in /etc/sysconfig/syslog >> on centos) >> >> Jan 3 12:33:46 localhost.localdomain DEBUG >> [cloud.alert.ClusterAlertAdapter] (Cluster-Notification-1:) Receive cluster >> alert, EventArgs: com.cloud.cluster.ClusterNodeJoinEventArgs >> >> Whether localhost.localdomain is an IP or resolved hostname is based on >> syslogd/syslog-ng settings. Happy to write up a wiki on this (probably >> should anyways) but still trying to figure out if your plan is to provide >> more than this... >> >> John >> >> On Jan 3, 2013, at 8:53 AM, Ram Ganesh <[email protected]> wrote: >> >>> Alex, >>> >>> With this requirement CloudStack will send out events in syslog format. >>> Apart from sending them in SNMP format(if configured accordingly) and also >>> in email format. Hope it is clear >>> >>> Thanks, >>> Ram >>> >>>> -----Original Message----- >>>> From: Alex Huang [mailto:[email protected]] >>>> Sent: 03 January 2013 00:14 >>>> To: [email protected] >>>> Cc: Hari Kannan >>>> Subject: RE: [DISCUSS] Syslog enhancements >>>> >>>> Here's some references for people who don't know log4j and syslog well. >>>> >>>> http://loggly.com/support/sending-data/logging-from/application- >>>> logs/java/ >>>> >>>> Maybe all we need is someone to add this information to our wiki or >>>> maybe this is only a docs improvement? >>>> >>>> --Alex >>>> >>>>> -----Original Message----- >>>>> From: Alex Huang [mailto:[email protected]] >>>>> Sent: Wednesday, January 02, 2013 10:39 AM >>>>> To: [email protected] >>>>> Cc: Hari Kannan >>>>> Subject: RE: [DISCUSS] Syslog enhancements >>>>> >>>>> Hari, >>>>> >>>>> I echo John's question here. I don't see any requirements on the >>>> wiki that >>>>> require more than a syslog appender for log4j. What this means is >>>> that >>>>> whatever is logged to our current log file will get sent to syslog. >>>> That's >>>>> something someone can configure today on existing releases. Do you >>>> have >>>>> more use cases? For example, is there anything that should be logged >>>> to >>>>> syslogs but not in our logs or vice versa? >>>>> >>>>> --Alex >>>>> >>>>>> -----Original Message----- >>>>>> From: John Kinsella [mailto:[email protected]] >>>>>> Sent: Wednesday, December 26, 2012 1:53 PM >>>>>> To: [email protected] >>>>>> Subject: Re: [DISCUSS] Syslog enhancements >>>>>> >>>>>> (Changed subject as noted by Alex) >>>>>> >>>>>> Question - is this feature something beyond using the syslog >>>> appender in >>>>>> log4j? >>>>>> >>>>>> One thing I'd like to see is logs using key-vaue pairs. The closer >>>> to that we >>>>> can >>>>>> get, the easier it is for me to have the logs consumed by a >>>> separate >>>>> analytics >>>>>> package. >>>>>> >>>>>> One nitpick - syslog can be udp or tcp. >>>>>> >>>>>> On Dec 26, 2012, at 11:12 AM, Hari Kannan <[email protected]> >>>> wrote: >>>>>> >>>>>>> Hello All, >>>>>>> >>>>>>> >>>>>>> >>>>>>> I wish to propose syslog enhancements in CloudStack - I have >>>> added >>>>> some >>>>>> details >>>>>> >>>>> here<https://cwiki.apache.org/confluence/display/CLOUDSTACK/syslog+en >>>>>> hancements> along with a JIRA ticket 772 >>>>>>> >>>>>> >>> >>> >> >> Stratosec - Secure Infrastructure as a Service >> o: 415.315.9385 >> @johnlkinsella >> > Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
