Re: [sip-clf] WGLC:draft-ietf-sipclf-problem-statement-06.txt

Peter Musgrave <> Wed, 27 April 2011 18:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 27B6FE077F for <>; Wed, 27 Apr 2011 11:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.698
X-Spam-Status: No, score=-102.698 tagged_above=-999 required=5 tests=[AWL=0.900, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 30KvYqW1s16Q for <>; Wed, 27 Apr 2011 11:43:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A68F5E0769 for <>; Wed, 27 Apr 2011 11:43:00 -0700 (PDT)
Received: by ywi6 with SMTP id 6so861293ywi.31 for <>; Wed, 27 Apr 2011 11:43:00 -0700 (PDT)
Received: by with SMTP id d18mr2129446ybl.446.1303929779809; Wed, 27 Apr 2011 11:42:59 -0700 (PDT)
Received: from petermac.magor.local ([]) by with ESMTPS id q34sm94382ybk.18.2011. (version=TLSv1/SSLv3 cipher=OTHER); Wed, 27 Apr 2011 11:42:58 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary=Apple-Mail-26--794937731
From: Peter Musgrave <>
In-Reply-To: <>
Date: Wed, 27 Apr 2011 14:42:56 -0400
Message-Id: <>
References: <> <>
To: Peter Musgrave <>
X-Mailer: Apple Mail (2.1084)
Cc: " Mailing" <>
Subject: Re: [sip-clf] WGLC:draft-ietf-sipclf-problem-statement-06.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Apr 2011 18:43:02 -0000

(as individual)

Overall, I think this is in excellent shape. I have a few specific observations/questions:

Last sentence of abstract could be simplified just to SIP devices? (In section 4 UA is explicitly mentioned - and it's not in the abstract which has a list of SIP server type devices). 

8.1 From/To Header
Both contain the statement "it is not necessary to log any URI parameters". 
Perhaps this should be in normative language? URI parameters MUST NOT be logged (they can be logged separately using an option field)

R-URI: URI parameters MUST be logged?

8.2 Is it necessary to indicate what a UAS-half and UAC-half are? I can see that for a proxy a request is both received and forwarded (although I am not sure I would use the term UAC-half for the sent side of a message.) As for a B2BUA I tend to think of the two sides as a UAC and a UAS (and not a "half")

[I have set aside the examples for now - I will finish reviewing that before the WGLC ends].



On 2011-04-18, at 3:11 PM, Peter Musgrave wrote:

> Greetings CLF-ers,
> I would like to start a two week WGLC on the problem statement doc (in accordance with our discussion in Prague). 
> Please make you comments on the list by Wed. May 4th (I have added a few days to account for the Easter break). 
> We need reviewers and fresh eyes - so if you can make time to read this it is much appreciated!
> Thanks, 
> Peter Musgrave
> Chair, sip-clf
> Begin forwarded message:
>> From:
>> Date: April 18, 2011 10:30:04 AM EDT
>> To:
>> Cc:
>> Subject: [sip-clf] I-D Action:draft-ietf-sipclf-problem-statement-06.txt
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the SIP Common Log Format Working Group of the IETF.
>> 	Title           : The Common Log Format (CLF) for the Session Initiation Protocol (SIP)
>> 	Author(s)       : V. Gurbani, et al.
>> 	Filename        : draft-ietf-sipclf-problem-statement-06.txt
>> 	Pages           : 34
>> 	Date            : 2011-04-18
>> Well-known web servers such as Apache and web proxies like Squid
>> support event logging using a common log format.  The logs produced
>> using these de-facto standard formats are invaluable to system
>> administrators for trouble-shooting a server and tool writers to
>> craft tools that mine the log files and produce reports and trends.
>> Furthermore, these log files can also be used to train anomaly
>> detection systems and feed events into a security event management
>> system.  The Session Initiation Protocol does not have a common log
>> format, and as a result, each server supports a distinct log format
>> that makes it unnecessarily complex to produce tools to do trend
>> analysis and security detection.  We propose a common log file format
>> for SIP servers that can be used uniformly by proxies, registrars,
>> redirect servers as well as back-to-back user agents.
>> A URL for this Internet-Draft is:
>> Internet-Drafts are also available by anonymous FTP at:
>> Below is the data which will enable a MIME compliant mail reader
>> implementation to automatically retrieve the ASCII version of the
>> Internet-Draft.
> <Mail Attachment>
>> _______________________________________________
>> sip-clf mailing list