[logs] regexless parsing, again?

David Corlette dcorlette at novell.com
Thu Sep 20 15:00:30 PDT 2007 

I'm not sure I agree with this.  We all know developers, and what we know about good developers is that they're lazy.  So if there's an API or library out there (as there is for XDAS) that can help them solve their logging problem, they'll probably use it to save time. I'd guess that pretty much every Java developer has used Log4J, for example.

There are a couple reasons why they might not use existing standards:
1) The standard doesn't provide easy methods to express all the data they wish to express
2) They have a different target audience than us (assuming we're mostly operations/security/sysadmin types)

A properly designed standard should be able to handle #1, but #2 is much more difficult, as usually the developer is worried about debugging far more than reporting operational or security status or auditing. But I would then argue that the problem is not really at the developer level, it's at the level of the people defining requirements for software products. If the Product Management folks said "This product needs to audit internal operational and security events" then it would get done.

But then there's a third problem:
3) Proprietary software
Most companies have little interest in developing to standards for logging, in fact possibly exactly the opposite if they sell some sort of management interface. 

The point being, I think the work that actually needs to be done (because these standards do in fact exist, and although they may be flawed they'd get better if more people used them) is to convince the community (of PM folks and companies) of the value of developing to standards and having interoperability.


>>> On Thu, Sep 20, 2007 at 10:07 AM, in message <46F27E84.9070007 at cornell.edu>,
Mike Heisler <mgh4 at cornell.edu> wrote: 
> Mordechai T. Abzug wrote:
>> 
>> [Cue a bunch of starry-eyed innocents talking up CEE, CEF, and other
>> "standards" that are supposed to make unstructured logs go away Real
>> Soon Now.]
> 
> Which is to say, as others have, we need solutions yesterday and 
> official standards aren't going to solve the problem.
> 
> Log files aren't generally written for us, they are written for the 
> programmer or some auditor, individually, in a vacuum for each 
> application. If I were to write an application today and wanted to log 
> transactions of some sort why would I think to look for standards? Where 
> would I start to look? Who cares about my log file any way?

More information about the LogAnalysis mailing list