> -----Original Message----- > From: David Harrington [mailto:[email protected]] > Sent: Wednesday, November 10, 2010 7:52 AM > To: Rainer Gerhards; [email protected] > Subject: RE: [Syslog] Small draft for Syslog File Storage?
Good questions, as usual. Obviously I have only one voice here, so for the most part, I do not know. Would the OPS area be the right area to ask this in addition to here? My question was motivated by the Mitre CEE effort: http://cee.mitre.org/ In very short words, CEE tries to define a standard event format, where what syslog carries is a subset of the events possible. CEE will also define syntaxes for log storage. We will most probably support XML, CSV, JSON and syslog, with syslog being the only format where only a on-the-wire but no file format standard exists. I am on the CEE board and one thing we currently try to accomplish is define a CEE-to-syslog mapping. There are a couple of the larger vendors interested in logging on the board and the overall consensus seems to be that text files play an important role when it comes to a) storing log messages b) feeding log messages into analysis backends My own experience in the Linux environment and working with larger users confirms that. I have some very large customers (which I cannot name due to NDA) which store logs in (zipped) text file format because any other store is impractical for their needs. Of course, that doesn't exclude representations of other subsets in other formats for other needs. I will try to gather feedback at least from the CEE community, but would appreciate comments from others as well. Rainer > How many syslog sender/receiver implementers would be willing to > support such a common format? > > How many log anaysis application vendors would like such a common > format? or do they consider it unneccesray because they convert > incoming info into their own proprietary database formats anyway? > > dbh > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Rainer Gerhards > > Sent: Wednesday, November 10, 2010 2:24 PM > > To: [email protected] > > Subject: [Syslog] Small draft for Syslog File Storage? > > > > Hi all, > > > > In what we did, we specified the on-the-wire format. However, > > we did not > > specify any format to use when persisting syslog data to a file. > > > > Note that we were very generous when specifying the > > on-the-wire format, for > > example we permit LF, CR, NUL and many other characters > > considered dangerous > > in file formats. > > > > There are many tools available which interpret syslog data > > stored in text > > files. However, different syslog implementations may use > > slightly different > > file formats. > > > > Together with the control character issue, the file format > > question both has > > interoperability AND security issues. I think these would be > > very easy to fix > > if we write a small RFC that specifies how text is to be > > encoded. It would be > > similar, but much smaller to RFC4627 (JSON). Actually, I > > think we would need > > to carry over primarily its section 2.5. > > > > I would volunteer to write an initial draft, but would first > > like to get some > > feedback if this effort has any chance of getting through. > > > > Rainer > > _______________________________________________ > > Syslog mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
