[logs] CEE - a new logging standard

[Mordechai T. Abzug]

On Mon, Apr 23, 2007 at 11:56:16AM -0700, Raffael Marty wrote:

> And contrary to what you claim, I am dealing with approximately 20
> vendors who are implementing a standard logging format at this very
> moment. [http://www.arcsight.com/solutions_cef.htm]

There are thousands of ISVs.  20 vendors "implementing" a standard
means that you don't have a significant buy-in from the industry.

I hope that concepts such as CEF and CEE succeed.  Far be it from me
to be the one who says something is impossible.  But this discussion
is not giving me warm fuzzies.

> Great point. And you know what? The existing standards (almost all
> of them) are too expensive to implement. They require you to
> implement complicated transports, etc. However, if you provide
> products with an easy standard, it is quite compelling to implement
> it! [I am talking from experience!]

Your optimism is refreshing.  You're going to get a vendor with
millions of lines of code in the field and customers who expect strong
backwards compatibility to voluntarily change *anything* about their
products?  Good luck.

> SNMP is not a format. It's a transport! You could argue it's a format
> too, but at most a really ugly one ;)

Eh?  The SNMP PDUs are extremely specific about the form of SNMP
messages, as are ASN.1 and SMI for MIBs.  They allow SNMP traps and
informs to be parsed in a completely automated fashion.  For that
matter, SNMP even includes some content standards, i.e. the MIB-2
tree.  So SNMP combines transport, format, and even some content.  And
it works today, in a reasonably interoperable, vendor neutral, and
extensively supported kind of way.  There are over 20,000 enterprise
numbers that have been assigned to vendors and other entities over the
history of SNMP.  It's certainly ugly, and prone to security issues --
ASN.1 parsers have had a lot of bugs over the years -- but it has
built-in format.

- Morty