[logs] Cross-Platform Log Analysis and Microsoft

[Darren Reed]

Tom Perrine wrote:
> ...
> For ***anyone*** to come along at this point in the game to offer a new
> completely new proprietary (Is it a standards-track RFC with authors
> from at least three companies?) system audit message transport protocol,
> AFTER IGNORING ALL THE OTHERS FOR 15+ YEARS, is just.....
>
> well, fool me once...... won't get fooled again?
>   

The problem isn't just the protocol.
Protocols are easy to come up with and use.

The real problem is actually is programming.
Why?

Because syslog() is just *too* easy to use as a programmer.

To get yourself meaningful output requires very little in the way of effort
and often the output is designed to be consumed by the programmer,
not some log analysis tool.

So even if you do come up with something better, getting people to
use it will be hard because it'll require more work.

If you think of syslog as a cheap'n'easy way for programmers to do
debugging of daemons and the kernel, then the interface and the
output kind of makes sense.

As a programmer, if it were going to be just as easy (or easier) to
use and more meaningful then we need to do some compiler magic
where it looks at:
xlog(inetd+info, "connection from %s", sin.sin_addr);
and goes:
- i know how to convert a sin_addr into string
- i know what a sin_addr type is, i can encode that too
so it knows
- how to generate the complete text message to send to syslogd
- how to record the entire sin.sin_addr object to send to xlogd with the 
format string

if the interface is any harder to use, nobody will use it because
syslog is just too easy (my prediction.)

you could possibly create an interface that was this easy to use
with java, but I don't know about other languages.

Darren