Re: [sip-clf] New CLF Syntax draft (text with index)

Adam Roach <adam@nostrum.com> Fri, 08 May 2009 15:24 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A6EC3A711B for <sip-clf@core3.amsl.com>; Fri, 8 May 2009 08:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SPF_PASS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zmGCr5nQ1Npw for <sip-clf@core3.amsl.com>; Fri, 8 May 2009 08:24:27 -0700 (PDT)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 720013A7009 for <sip-clf@ietf.org>; Fri, 8 May 2009 08:24:27 -0700 (PDT)
Received: from hydra-3.local (ppp-70-249-149-101.dsl.rcsntx.swbell.net [70.249.149.101]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id n48FPqFT065041 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 8 May 2009 10:25:53 -0500 (CDT) (envelope-from adam@nostrum.com)
Message-ID: <4A044F00.1090604@nostrum.com>
Date: Fri, 08 May 2009 10:25:52 -0500
From: Adam Roach <adam@nostrum.com>
User-Agent: Postbox 1.0b11 (Macintosh/2009041623)
MIME-Version: 1.0
To: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
References: <4A032ED7.7030504@nostrum.com> <4A0438CC.7080107@alcatel-lucent.com>
In-Reply-To: <4A0438CC.7080107@alcatel-lucent.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass (nostrum.com: 70.249.149.101 is authenticated by a trusted mechanism)
Cc: sip-clf@ietf.org
Subject: Re: [sip-clf] New CLF Syntax draft (text with index)
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2009 15:24:28 -0000

Vijay K. Gurbani wrote:
> 1) Any special reason why the flags field is separated from
> the record length field by a comma?  And the same for the
> record length field being separated by a comma from the
> server transaction pointer field.

I actually had started out with all the fields on the first line 
separated by commas, but removed the ones between the indices to save 
space. I have a feeling that breaking the total record length out with a 
delimiter will serve us well in the future if we ever decide to extend 
the format, but don't have any concrete examples. I'll ruminate on this 
longer.

> 2) I am not sure I follow the 0x0A in byte 80 -- is it the
> length of the Date/Time field (i.e., upto the period in
> byte 91)?

No; it's an ASCII line feed.

> 3) What about 0x09 in byte 98 and 0x09 in byte 109?  What
> are they used for?

Those are ASCII "tab" characters.

Really, I think the fastest way to get the gestalt of what I'm proposing 
is to uudecode the log message at the bottom of the draft and examine it.

/a