Re: [sip-clf] New CLF Syntax draft (text with index)

"Vijay K. Gurbani" <vkg@alcatel-lucent.com> Fri, 08 May 2009 13:49 UTC

Return-Path: <vkg@alcatel-lucent.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F31128C1E6 for <sip-clf@core3.amsl.com>; Fri, 8 May 2009 06:49:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.517
X-Spam-Level:
X-Spam-Status: No, score=-2.517 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMcqbnvl3ZRQ for <sip-clf@core3.amsl.com>; Fri, 8 May 2009 06:49:43 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by core3.amsl.com (Postfix) with ESMTP id BC9E428C17F for <sip-clf@ietf.org>; Fri, 8 May 2009 06:49:43 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-61.lucent.com [135.3.40.61]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id n48Dp8ad007850 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 8 May 2009 08:51:09 -0500 (CDT)
Received: from [135.185.236.17] (il0015vkg1.ih.lucent.com [135.185.236.17]) by umail.lucent.com (8.13.8/TPES) with ESMTP id n48Dp8wx006667; Fri, 8 May 2009 08:51:08 -0500 (CDT)
Message-ID: <4A0438CC.7080107@alcatel-lucent.com>
Date: Fri, 08 May 2009 08:51:08 -0500
From: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Adam Roach <adam@nostrum.com>
References: <4A032ED7.7030504@nostrum.com>
In-Reply-To: <4A032ED7.7030504@nostrum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
Cc: sip-clf@ietf.org
Subject: Re: [sip-clf] New CLF Syntax draft (text with index)
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2009 13:49:45 -0000

Adam Roach wrote:
> This version defines a text format in which each record is composed of 
> two lines in a log file. The first line is primarily pointers into the 
> second line. The second line contains the actual logged fields, 
> separated by tab characters.

Adam: Thanks for getting this out.  I will read it in more
depth, but a couple of quick questions as I was looking at
the format.

1) Any special reason why the flags field is separated from
the record length field by a comma?  And the same for the
record length field being separated by a comma from the
server transaction pointer field.  Eliminating them would
save 2-bytes per record.

2) I am not sure I follow the 0x0A in byte 80 -- is it the
length of the Date/Time field (i.e., upto the period in
byte 91)?

3) What about 0x09 in byte 98 and 0x09 in byte 109?  What
are they used for?

Thanks,

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org}
Web:   http://ect.bell-labs.com/who/vkg/