Re: [sip-clf] A syslog approach to sip logging
"Vijay K. Gurbani" <vkg@alcatel-lucent.com> Tue, 02 February 2010 21:48 UTC
Return-Path: <vkg@alcatel-lucent.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A7B6D3A69A3 for <sip-clf@core3.amsl.com>; Tue, 2 Feb 2010 13:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.544
X-Spam-Level:
X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3TfexzmCTBdQ for <sip-clf@core3.amsl.com>; Tue, 2 Feb 2010 13:48:45 -0800 (PST)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id 7CB7D3A69B2 for <sip-clf@ietf.org>; Tue, 2 Feb 2010 13:48:44 -0800 (PST)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id o12LnNoK016034 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Feb 2010 15:49:23 -0600 (CST)
Received: from [135.185.236.17] (il0015vkg1.ih.lucent.com [135.185.236.17]) by umail.lucent.com (8.13.8/TPES) with ESMTP id o12LnN8g024491; Tue, 2 Feb 2010 15:49:23 -0600 (CST)
Message-ID: <4B689DE3.2000408@alcatel-lucent.com>
Date: Tue, 02 Feb 2010 15:49:23 -0600
From: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Spencer Dawkins <spencer@wonderhamster.org>
References: <013201caa438$f19aac50$0600a8c0@china.huawei.com> <FEC65170FF754FD1B477F9A364A34F8E@china.huawei.com>
In-Reply-To: <FEC65170FF754FD1B477F9A364A34F8E@china.huawei.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
Cc: 'SIP-CLF Mailing List' <sip-clf@ietf.org>
Subject: Re: [sip-clf] A syslog approach to sip logging
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2010 21:48:48 -0000
Spencer Dawkins wrote: > Speaking as individual, > > Just as a heads-up, David and I had a private conversation late last > week, where David told me that he did some investigation after our > Hiroshima meeting, and discovered (to his surprise) that it's fairly > common to use SYSLOG for Apache CLF. As far as I know, only the error messages in Apache CLF go to syslog [1] (someone can correct me if I am wrong.) The CLF logs are still saved on disk. > I'm very interested in hearing reactions to this note, because it makes > me much more comfortable with our charter - most of our chartered work > is to identify fields that need to be logged and figure out a story for > correlation; once we have identified the fields that should be logged, > IFF we agree that SYSLOG makes sense, defining SYSLOG structured data > elements for those fields should be pretty straightforward. Note that syslog may not work when a web server (or SIP server) is running on a small footprint device that is not able to contact the syslog daemon. In that case, the syslog records are probably written to local cache However, insofar as there is a default mode to producing Apache CLF, it is produced as a disk file. Also, syslog records are typically small; SIP CLF records can get pretty big depending on what all is being logged. [1] Ben Laurie, "Apache: The Definitive Guide," 2e. Thanks, - vijay -- Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA) Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org} Web: http://ect.bell-labs.com/who/vkg/
- Re: [sip-clf] A syslog approach to sip logging Vijay K. Gurbani
- Re: [sip-clf] A syslog approach to sip logging Cullen Jennings
- [sip-clf] A syslog approach to sip logging David B Harrington
- Re: [sip-clf] A syslog approach to sip logging Spencer Dawkins
- Re: [sip-clf] A syslog approach to sip logging Spencer Dawkins
- Re: [sip-clf] A syslog approach to sip logging Rainer Gerhards
- Re: [sip-clf] A syslog approach to sip logging Spencer Dawkins
- Re: [sip-clf] A syslog approach to sip logging Vijay K. Gurbani
- Re: [sip-clf] A syslog approach to sip logging Hadriel Kaplan
- Re: [sip-clf] A syslog approach to sip logging Adam Roach
- Re: [sip-clf] A syslog approach to sip logging Rainer Gerhards
- Re: [sip-clf] A syslog approach to sip logging Rainer Gerhards
- Re: [sip-clf] A syslog approach to sip logging Rainer Gerhards
- Re: [sip-clf] A syslog approach to sip logging Rainer Gerhards
- Re: [sip-clf] A syslog approach to sip logging Vijay K. Gurbani