[logs] Syslog - monitoring the bigger picture
Tom Le
dottom at gmail.com
Sat Sep 15 00:51:46 PDT 2007
David Corlette <dcorlette at novell.com> wrote:
| So, Tina - are you planning to coordinate your efforts with any of
| the standards bodies? I am personally involved in the Open Group's
| XDAS project, which has some overlap with what you describe, but
| I've also heard of CERIAS or COAST or something, and other similar
| efforts sponsored by MITRE and such.
David,
Standards for log syntax and/or transports might happen, but it will never
happen for content.
There's some old posts on this list on why I believe the above statement is
true. Some folks disagree, but like the IPv6 debates, it will years before
we know who's right. This Google search gets you one of the threads:
+cef +cee +site:loganalysis.org
Even if a standard is published or officially blessed by <insert any
standards body here>, the implementation cost is too high.
The only way for a log standard to happen is for a vendor with wide enough
adoption for <insert heavyweight vendor here> builds it *and* other vendors
start adapting to it. CEF is the closest to this, but I don't see it used
much outside of the vendor specific integration. I've been saying this for a
few years (i.e. don't wait for a standard, it won't happen... build it and
they will come). The MSFT model of expansion works in this regard. But you
need an 800-lb gorilla to step up to the plate. Cisco?
| The point being, it's great that Splunk is working on this, but
| unless it gets up to sort-of-RFC status, it'll be hard for people
| to find and reference, in my opinion.
SplunkBase has nothing to do with log standards and is more of an "IT wiki"
with focus on logs. It has a Q&A component as well a log tagging/KB
format.
Searching for information about logs has always been a difficult endeavor if
the vendor doesn't have good, publicly available reference documentation
(why can't everyone be like Cisco?). You try Google, various message
boards, some 3rd party vendor sites, and just hope you get the answers you
need. The problem is that in order to centralize any kind of discussion on
logs themselves, you need:
- indexing & searching back-end which Splunk provides (could probably
just use wiki technology if you had to)
- some people (usually paid) to organize content
- lots of people (the community of users) to post content & ask questions
Splunk is the first company doing this on a large scale, is vendor neutral,
and promises it to be free forever. You still have to do your own homework
at some point, but SplunkBase is a good starting point.
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070915/85c520e9/attachment.html
More information about the LogAnalysis
mailing list