[logs] regexless parsing, again?
Anton Chuvakin
anton at chuvakin.org
Thu Sep 13 11:56:33 PDT 2007
All,
I think it is a good time to revisit this fun subject that we
_revisited_ back in 2005: regexless log message processing. (e.g. see
my post "regex-less parsing of messages" and the prolonged discussion
that followed here:
http://lists.jammed.com/loganalysis/2005/12/index.html)
So, has the world changed since that glorious time? :-) I think it
did, but only a little. We do have a lot more weird logs to analyze,
log indexing got much better (but the quality and presentation of
parsed data still beats the indexed data) and more people want to do
the log management right (there is also this compliance thing, but I
digress..)
Anybody care to restart the discussion and see what the collective
wisdom of loganalysis can produce?
As a semi-humorous warning, please don't suggest the following - we've
seen these before:
- wait until all logs are in a common XML schema (we know how this one
ends: MJR emerges out of the darkest part of the woods and kicks
everybody's ass :-))
- use our award-losing UI to "easily" create the regexes
- be happy with keyword searching
- just write the darn regexes
(also see http://lists.jammed.com/loganalysis/2005/12/0025.html)
Ready, set, GO!!!
Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
More information about the LogAnalysis
mailing list