[logs] Syslog - monitoring the bigger picture

David Corlette dcorlette at novell.com
Fri Sep 14 20:38:08 PDT 2007 

Hi Tina,

You make an excellent point about people developing tools without much knowledge about what's already out there - on the other hand, I believe that's where standards bodies can actually help, e.g. by getting a bunch of knowledgeable people together to contribute requirements as to what those tools should be able to do.  So for example the Open Group is reworking the XDAS spec, which has been around for a while, to revamp the record format and taxonomy to ensure that it covers all the common use cases, is extensible, is easily parseable, and so on.  I think you can do that sort of work as long as you get a bunch of smart people with lots of experience together to bounce ideas off each other (understanding that the risk is that you never get anything done, or that it bears no relation to reality).

But from what you're saying, you're working more on a "best practices" for event generation, collection, parsing, interpretation, something like that.  I haven't looked into this extensively, but my understanding is that there were a couple groups out there trying to do this from a standards perspective (COAST which turned into CERIAS, I believe), e.g. a *prescriptive* set of guidelines that hopefully developers would start to follow. Obviously there is value in "reverse-engineering" the data as you appear to be doing, but I would hope that ultimately what you do could be turned into APIs and recommendations for developers of future programs. What I see a lot is confusion between "debug" data and "security event" or "operational event" data, so having guidelines for different ways to generate each of those classes would be great.  I mentioned RFC only in the sense of one such output from your work.

BTW, I wasn't able to find info about XDAS on your website, might be worth adding to your list of standards:
http://www.opengroup.org/security/das/
(it's being reworked as we speak, but whatever).


>>> On Fri, Sep 14, 2007 at  5:29 PM, in message
<03ce01c7f716$60f35750$1701a8c0 at lindesfarne>, "Tina Bird"
<tbird at precision-guesswork.com> wrote: 
> Does that explain things more clearly? If not, can you elaborate on how the
> process of creating an RFC at this point will help?

More information about the LogAnalysis mailing list