Re: [sip-clf] A syslog approach to sip logging

"Vijay K. Gurbani" <> Tue, 02 February 2010 21:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A7B6D3A69A3 for <>; Tue, 2 Feb 2010 13:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.544
X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3TfexzmCTBdQ for <>; Tue, 2 Feb 2010 13:48:45 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7CB7D3A69B2 for <>; Tue, 2 Feb 2010 13:48:44 -0800 (PST)
Received: from ( []) by (8.13.8/IER-o) with ESMTP id o12LnNoK016034 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Feb 2010 15:49:23 -0600 (CST)
Received: from [] ( []) by (8.13.8/TPES) with ESMTP id o12LnN8g024491; Tue, 2 Feb 2010 15:49:23 -0600 (CST)
Message-ID: <>
Date: Tue, 02 Feb 2010 15:49:23 -0600
From: "Vijay K. Gurbani" <>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: Spencer Dawkins <>
References: <013201caa438$f19aac50$> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on
Cc: 'SIP-CLF Mailing List' <>
Subject: Re: [sip-clf] A syslog approach to sip logging
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Feb 2010 21:48:48 -0000

Spencer Dawkins wrote:
> Speaking as individual,
> Just as a heads-up, David and I had a private conversation late last 
> week, where David told me that he did some investigation after our 
> Hiroshima meeting, and discovered (to his surprise) that it's fairly 
> common to use SYSLOG for Apache CLF.

As far as I know, only the error messages in Apache CLF go to
syslog [1] (someone can correct me if I am wrong.)  The CLF
logs are still saved on disk.

> I'm very interested in hearing reactions to this note, because it makes 
> me much more comfortable with our charter - most of our chartered work 
> is to identify fields that need to be logged and figure out a story for 
> correlation; once we have identified the fields that should be logged, 
> IFF we agree that SYSLOG makes sense, defining SYSLOG structured data 
> elements for those fields should be pretty straightforward.

Note that syslog may not work when a web server (or SIP server) is
running on a small footprint device that is not able to contact
the syslog daemon.  In that case, the syslog records are probably
written to local cache

However, insofar as there is a default mode to producing Apache
CLF, it is produced as a disk file.  Also, syslog records are
typically small; SIP CLF records can get pretty big depending on
what all is being logged.

[1] Ben Laurie, "Apache: The Definitive Guide," 2e.


- vijay
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{,,}