[sip-clf] Next revision for the proposed CLF charter

Robert Sparks <rjsparks@nostrum.com> Fri, 31 July 2009 10:07 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E65D3A6960; Fri, 31 Jul 2009 03:07:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SPF_PASS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z4whub+KjX2f; Fri, 31 Jul 2009 03:07:18 -0700 (PDT)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 2046A3A68B7; Fri, 31 Jul 2009 03:07:17 -0700 (PDT)
Received: from dhcp-26f2.meeting.ietf.org (dhcp-26f2.meeting.ietf.org [130.129.38.242]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id n6VA7G1m052659 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 31 Jul 2009 05:07:17 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
Message-Id: <DDC1E758-32DB-41B0-B3F3-254334341FB4@nostrum.com>
From: Robert Sparks <rjsparks@nostrum.com>
To: dispatch mailing list <dispatch@ietf.org>, sip-clf@ietf.org
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Fri, 31 Jul 2009 12:07:14 +0200
X-Mailer: Apple Mail (2.935.3)
Received-SPF: pass (nostrum.com: 130.129.38.242 is authenticated by a trusted mechanism)
Subject: [sip-clf] Next revision for the proposed CLF charter
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2009 10:07:19 -0000

The SIP Common Log Format (CLF) working group is chartered to define
a standard logging format for systems processing SIP messages.

Well-known web servers such as Apache and web proxies like Squid
support event logging using a common log format.  The logs produced
using these de-facto standard formats are invaluable to system
administrators for trouble-shooting a server and tool writers to
craft tools that mine the log files to produce reports and trends
and to search for a certain message or messages, a transaction
or a related set of transactions.  Furthermore, these log records
can also be used to train anomaly detection systems and feed events
into a security event management system.

The Session Initiation Protocol does not have a common log
format. Diverse elements provide distinct log formats making
it complex to produce tools to analyze them.

The CLF working group will produce a format suitable for logging
from any SIP element. The format will anticipate the need to
search, merge, and summarize the log records from diverse elements.
The format will anticipate the need to correlate messages from
multiple elements related to a given request (that may fork) or a
given dialog. The format will take SIP's extensibility into
consideration, providing a way to represent SIP message components
that are defined in the future.  The format will anticipate being
used both for off-line analysis and on-line real-time processing
applications. The working group will consider the need for
efficient creation of records and the need for efficient processing
of the records.

The working group will identify the fields to appear in a log
record and provide one or more formats for encoding those fields.
The working group is not pre-constrained to producing either a
bit-field oriented or text-oriented format, and may choose to
provide both. If the group chooses to specify both, it must be
possible to mechanically translate between the formats without loss
of information.

Specifying the mechanics of exchanging, transporting, and storing
SIP Common Log Format records is explicitly out of scope. Specifying
a real-time transfer mechanism for heuristic analysis is explicitly
out of scope.

The group will generate:

- A problem statement enunciating the motivation,
and use cases for a SIP Common Log Format. This analysis
will identify the required minimal information that must
appear in any record.

- A specification of the SIP Common Log Format record

The group will consider providing one or more reference
implementations for decoding a CLF record.

Goals and Milestones
===========================

Oct 09 - Problem statement, motivation, and use cases
          WGLC
Nov 09 - Problem statement, motivation, and use cases
          to IESG (Informational)
Jan 10 - SIP Common Log Format specification
          WGLC
Feb 10 - SIP Common Log Format specification
          to IESG (PS)