[logs] regexless parsing, again?
Moehrke, John (GE Healthcare)
John.Moehrke at med.ge.com
Fri Sep 21 02:10:11 PDT 2007
This is what is happening in healthcare with RFC3881 over syslog. Tools are being developed in eclipse (OHF). Called for by government through HITSP and eventually CCHIT.
John Moehrke
computer challenged on my Treo
---- Original Message ----
From: "David Corlette" <dcorlette at novell.com>
Date: 9/20/07 5:41 pm
To: "<loganalysis" <loganalysis at loganalysis.org>
Subj: Re: [logs] regexless parsing, again?
I'm not sure I agree with this. We all know developers, and what we know about good developers is that they're lazy. So if there's an API or library out there (as there is for XDAS) that can help them solve their logging problem, they'll probably use it to save time. I'd guess that pretty much every Java developer has used Log4J, for example.
There are a couple reasons why they might not use existing standards:
1) The standard doesn't provide easy methods to express all the data they wish to express
2) They have a different target audience than us (assuming we're mostly operations/security/sysadmin types)
A properly designed standard should be able to handle #1, but #2 is much more difficult, as usually the developer is worried about debugging far more than reporting operational or security status or auditing. But I would then argue that the problem is not really at the developer level, it's at the level of the people defining requirements for software products. If the Product Management folks said "This product needs to audit internal operational and security events" then it would get done.
But then there's a third problem:
3) Proprietary software
Most companies have little interest in developing to standards for logging, in fact possibly exactly the opposite if they sell some sort of management interface.
The point being, I think the work that actually needs to be done (because these standards do in fact exist, and although they may be flawed they'd get better if more people used them) is to convince the community (of PM folks and companies) of the value of developing to standards and having interoperability.
>>> On Thu, Sep 20, 2007 at 10:07 AM, in message <46F27E84.9070007 at cornell.edu>,
Mike Heisler <mgh4 at cornell.edu> wrote:
> Mordechai T. Abzug wrote:
>>
>> [Cue a bunch of starry-eyed innocents talking up CEE, CEF, and other
>> "standards" that are supposed to make unstructured logs go away Real
>> Soon Now.]
>
> Which is to say, as others have, we need solutions yesterday and
> official standards aren't going to solve the problem.
>
> Log files aren't generally written for us, they are written for the
> programmer or some auditor, individually, in a vacuum for each
> application. If I were to write an application today and wanted to log
> transactions of some sort why would I think to look for standards? Where
> would I start to look? Who cares about my log file any way?
_______________________________________________
LogAnalysis mailing list
LogAnalysis at loganalysis.org
http://www.loganalysis.org/mailman/listinfo/loganalysis
More information about the LogAnalysis
mailing list