[logs] ugliest application logs ever?
Jason Lewis
jlewis at packetnexus.com
Thu Jan 24 11:52:48 PST 2008
I don't know about ugly, but logs that are difficult to parse suck.
Netscreen:
messages:Dec 17 09:35:27 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
duration=4 policy_id=0 service=tcp/port:8000 proto
=6 src zone=Trust dst zone=Untrust action=Permit sent=715 rcvd=6561
src=10.14.94.221 dst=10.14.90.217 src_port=1039 dst_port=8000 translated
ip=10.14.93.7 port=1217
messages:Dec 17 09:35:27 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
duration=4 policy_id=0 service=tcp/port:8000 proto
=6 src zone=Trust dst zone=Untrust action=Permit sent=651 rcvd=2782
src=10.14.94.221 dst=10.14.90.217 src_port=1040 dst_port=8000 translated
ip=10.14.93.7 port=1218
There isn't a good delimiter to break the log up, so it requires an
custom regex. Trying to use a space is a nightmare. Give me something
so I can quickly grab only what I need. I like pipe delimited.
jas
Anton Chuvakin wrote:
> All,
>
> Ah, long time - no post! :-)
>
> I wanted to turn this into a formal contest but figured I'd poll the
> list first: what are the ugliest, most useless application logs that
> you've seen? Logs that defy log analysis, that are full of numeric
> codes not explained anywhere? Logs that don't say what they mean (and
> vice versa)? Logs that omit the most critical piece of info?
>
> Here is my example:
>
> |22:22:32|BTC| 7|000|DDIC | |R49|Communication error, CPIC
> return code 020, <application> return code 456
>
> Why it sux: numeric codes (twice), ambiguous language, no sense of
> priority, etc.
>
> More?
>
> Best,
>
More information about the LogAnalysis
mailing list