Re: [sip-clf] Next revision for the proposed CLF charter

Atsushi Kobayashi <> Sat, 01 August 2009 04:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AFE7D3A689C; Fri, 31 Jul 2009 21:21:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4Gcg9IUcLIzB; Fri, 31 Jul 2009 21:21:04 -0700 (PDT)
Received: from ( [IPv6:2001:fa8::25]) by (Postfix) with ESMTP id 4C22B3A67AD; Fri, 31 Jul 2009 21:21:04 -0700 (PDT)
Received: from [] ([IPv6:2001:fa8:1000:0:cd57:c336:1bdd:a5b]) by (8.14.3/8.14.3) with ESMTP id n714L4D2073718; Sat, 1 Aug 2009 13:21:05 +0900 (JST) (envelope-from
Date: Sat, 01 Aug 2009 13:15:39 +0900
From: Atsushi Kobayashi <>
To: Robert Sparks <>
In-Reply-To: <>
References: <>
Message-Id: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.50.05 [ja] (Unregistered)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 ( [IPv6:2001:fa8::25]); Sat, 01 Aug 2009 13:21:05 +0900 (JST)
Cc:, dispatch mailing list <>
Subject: Re: [sip-clf] Next revision for the proposed CLF charter
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 01 Aug 2009 04:21:05 -0000

Dear all,

I have one question.
Does this charter include the media description part, i.e. SDP?
I understood this motivation, however regarding security and trouble
shooting, we need to track signaling and media as well.
If SIP-CLF outputs the media description, we can correlate SIP signaling
and media traffic data. The media traffic data may be outputted by IPFIX
or other protocols.

Otherwise, is it future work?


On Fri, 31 Jul 2009 12:07:14 +0200
Robert Sparks <> wrote:

> The SIP Common Log Format (CLF) working group is chartered to define
> a standard logging format for systems processing SIP messages.
> Well-known web servers such as Apache and web proxies like Squid
> support event logging using a common log format.  The logs produced
> using these de-facto standard formats are invaluable to system
> administrators for trouble-shooting a server and tool writers to
> craft tools that mine the log files to produce reports and trends
> and to search for a certain message or messages, a transaction
> or a related set of transactions.  Furthermore, these log records
> can also be used to train anomaly detection systems and feed events
> into a security event management system.
> The Session Initiation Protocol does not have a common log
> format. Diverse elements provide distinct log formats making
> it complex to produce tools to analyze them.
> The CLF working group will produce a format suitable for logging
> from any SIP element. The format will anticipate the need to
> search, merge, and summarize the log records from diverse elements.
> The format will anticipate the need to correlate messages from
> multiple elements related to a given request (that may fork) or a
> given dialog. The format will take SIP's extensibility into
> consideration, providing a way to represent SIP message components
> that are defined in the future.  The format will anticipate being
> used both for off-line analysis and on-line real-time processing
> applications. The working group will consider the need for
> efficient creation of records and the need for efficient processing
> of the records.
> The working group will identify the fields to appear in a log
> record and provide one or more formats for encoding those fields.
> The working group is not pre-constrained to producing either a
> bit-field oriented or text-oriented format, and may choose to
> provide both. If the group chooses to specify both, it must be
> possible to mechanically translate between the formats without loss
> of information.
> Specifying the mechanics of exchanging, transporting, and storing
> SIP Common Log Format records is explicitly out of scope. Specifying
> a real-time transfer mechanism for heuristic analysis is explicitly
> out of scope.
> The group will generate:
> - A problem statement enunciating the motivation,
> and use cases for a SIP Common Log Format. This analysis
> will identify the required minimal information that must
> appear in any record.
> - A specification of the SIP Common Log Format record
> The group will consider providing one or more reference
> implementations for decoding a CLF record.
> Goals and Milestones
> ===========================
> Oct 09 - Problem statement, motivation, and use cases
>           WGLC
> Nov 09 - Problem statement, motivation, and use cases
>           to IESG (Informational)
> Jan 10 - SIP Common Log Format specification
>           WGLC
> Feb 10 - SIP Common Log Format specification
>           to IESG (PS)
> _______________________________________________
> sip-clf mailing list

Atsushi KOBAYASHI  <>
NTT Information Sharing Platform Lab.
tel:+81-(0)422-59-3978 fax:+81-(0)422-59-5637