[dispatch] SIP-CLF: first draft of proposed work

["Vijay K. Gurbani" <vkg@alcatel-lucent.com>]

All: Eric and I have come up with a draft of proposed work on
sip-clf, reproduced below.  Please take a look and see if this
is on the right track.

Charter proposal for SIP Common Log File (CLF) format work
==========================================================
Vijay K. Gurbani and Eric Burger

Problem Statement
=================
Well-known web servers such as Apache and web proxies like Squid
support event logging using a common log format.  The logs produced
using these de-facto standard formats are invaluable to system
administrators for trouble-shooting a server and tool writers to
craft tools that mine the log files to produce reports and trends
and to search for a certain SIP message or messages, a transaction
or a related set of transactions.

Furthermore, these log files can also be used to train anomaly
detection systems and feed events into a security event management
system.  The Session Initiation Protocol does not have a common log
format, and as a result, each server supports a distinct log format
that makes it unnecessarily complex to produce tools to do trend
analysis and security detection.

Ad ad-hoc meeting was sponsored by the SIPPING WG during the San
Francisco IETF where the participants expressed interest in undertaking
this work.  Minutes from the ad-hoc are available at:
http://www.ietf.org/mail-archive/web/sipping/current/msg17199.html.
Since then, various discussions on CLF file format and other
assorted discussions have occurred on the SIPPING mailing list,
the sip-ops mailing list and the newly formed sip-clf mailing list.

Milestones and deliverables
===========================

1) A document enunciating the problem statement, motivation,
the possible use cases of a SIP CLF, and the list of mandatory
fields that will allow identifying transactions, grouping
transactions into dialogs, and doing the latter with provisions
for allowing the systems administrator or an automata to
correlate forked branches.  Provisions must be made to
accommodate ad-hoc fields without adversely impacting the
parsing of the mandatory parameters.

A possible starting document for this deliverable is
http://tools.ietf.org/html/draft-gurbani-sipping-clf-01

2) A document that details the byte layout of the SIP CLF
record.

The participants have done preliminary work on writing encoders
and decoders for space-separated ASCII and binary format.  The
runtime complexity to produce the space-separated ASCII and
binary CLF is comparable, however, the binary CLF is appreciably
faster in locating random records from the binary CLF file.
On the other hand, a ASCII CLF format was preferable because
it allowed for a visual interpretation of the mandatory
fields to the benefit of a human user and allowed for
expedited operations on the data using text-based tools.

Based on subsequent deliberations, a text format has been
defined which lends itself well to fast searches while still
allowing the use of visual identification and interpretation
using text-based tools.  This format is documented in:
http://tools.ietf.org/html/draft-roach-sipping-clf-syntax-01
and can serve as a possible starting document for the
details of byte layout.

3) A document that provides reference implementation(s)
for decoding the byte layout of the CLF.

NOTE: It could very well be that three individual documents
are produced to meet the deliverables or a single document is
produced that merges all three aspects.  This can be decided
by the BoF/design team/mini working group.

Thanks,

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org}
WWW:   http://ect.bell-labs.com/who/vkg