[logs] ugliest application logs ever?

Jason Lewis jlewis at packetnexus.com
Thu Jan 24 14:20:49 PST 2008 

Except they didn't standardize the keys....

proto=6 src zone=Trust dst zone=Untrust action=Permit

There is a space before zone that hoses things up.

Dilley, Ron wrote:
> Jas,
>
> This does not look too bad as long as you don’t use regex to parse it.
>
> Key=value all the way . . .
>
> Ron
>
>
>
> On 1/24/08 11:52 AM, "Jason Lewis" <jlewis at packetnexus.com> wrote:
>
>     I don't know about ugly, but logs that are difficult to parse suck.
>
>     Netscreen:
>     messages:Dec 17 09:35:27 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
>     system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
>     duration=4 policy_id=0 service=tcp/port:8000 proto
>     =6 src zone=Trust dst zone=Untrust action=Permit sent=715 rcvd=6561
>     src=10.14.94.221 dst=10.14.90.217 src_port=1039 dst_port=8000
>     translated
>     ip=10.14.93.7 port=1217
>     messages:Dec 17 09:35:27 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
>     system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
>     duration=4 policy_id=0 service=tcp/port:8000 proto
>     =6 src zone=Trust dst zone=Untrust action=Permit sent=651 rcvd=2782
>     src=10.14.94.221 dst=10.14.90.217 src_port=1040 dst_port=8000
>     translated
>     ip=10.14.93.7 port=1218
>
>     There isn't a good delimiter to break the log up, so it requires an
>     custom regex. Trying to use a space is a nightmare. Give me something
>     so I can quickly grab only what I need. I like pipe delimited.
>
>     jas
>
>
>     Anton Chuvakin wrote:
>     > All,
>     >
>     > Ah, long time - no post! :-)
>     >
>     > I wanted to turn this into a formal contest but figured I'd poll the
>     > list first: what are the ugliest, most useless application logs that
>     > you've seen? Logs that defy log analysis, that are full of numeric
>     > codes not explained anywhere? Logs that don't say what they mean (and
>     > vice versa)? Logs that omit the most critical piece of info?
>     >
>     > Here is my example:
>     >
>     > |22:22:32|BTC| 7|000|DDIC | |R49|Communication error, CPIC
>     > return code 020, <application> return code 456
>     >
>     > Why it sux: numeric codes (twice), ambiguous language, no sense of
>     > priority, etc.
>     >
>     > More?
>     >
>     > Best,
>     >
>     _______________________________________________
>     LogAnalysis mailing list
>     LogAnalysis at loganalysis.org
>     http://www.loganalysis.org/mailman/listinfo/loganalysis
>
>

More information about the LogAnalysis mailing list