Commenting just on the issue of "Syslog (in the 'nix sense) structure."
No, RFC 5424 is not widely observed. Syslog epitomizes the aphorism about "God loves standards -- that's why he created so many of them." About the only Syslog "standard" that everyone almost follows is RFC 3164, and even that is not followed very well. (And it's not even a standard, that's why I put it in quotes. It "describes observed behavior.") Bits and pieces of RFC 5424/25/26/27 are in wide use (TCP/IP, longer messages -- but not the header.) There is a "standard" for XML Syslog (RFC 3195) but so far as I know *no one* uses it. There have been several "common" attempts to impose some structure on Syslog, most notably the "Common Event Expression" endeavor pushed by MITRE. I don't think anyone is paying attention. There are two proprietary structures imposed by a particular vendor with some success: "CEF" is an ArcSight invention. (ArcSight is now owned by HP.) It imposes a rigorous structure on Syslog messages with a rigid header and specific field tags. ArcSight may be the most widely-implement SIEM. (http://en.wikipedia.org/wiki/Security_information_and_event_management if you are not familiar with the term SIEM; it's what your non-Z brethren think of when you say "computer security" the way you think of RACF. [But no, they are not analogous in function.]) "LEEF" is a Q1 Labs invention. Q1 labs is now owned by IBM, and I believe IBM is making good headway with the product, QRadar. LEEF is quite similar to CEF, but not quite so rigid. That's probably enough for a mainframe list. Anyone with questions can reply on- or off-line. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Thursday, December 04, 2014 9:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: thought: z/OS structured logging On Thu, Dec 4, 2014 at 8:44 AM, Elardus Engelbrecht < elardus.engelbre...@sita.co.za> wrote: <snip> > > >And I will admit that my mind has been corrupted by using Linux too > >much > lately. <grin/> > > Please refresh my mind about how is Linux version of log(s) working? > > Well, the normal UNIX syslogd data is very similar to the z/OS SYSLOG in that it is unstructured. But I ran across RFC 5424, https://tools.ietf.org/html/rfc5424, which does not really seem to be in use. But that RFC inspired me to think about "Advanced Message Logging for z/OS" (to give it a marketing-type name). One plus of this would be that it would be much simpler to extract data from a structured data stream for automation purposes. And perhaps to store the log information in a DB2 data base using DB2 pureXML, if XML is the structure format of choice. I do like XML. It is wordy, especially compared to JSON, but the tools already available can be quite nice. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
