[sip-ops] [dispatch] SIP-CLF: Extensibility considerations (was Results on ASCII vs. binary representation)

Adam Roach <adam@nostrum.com> Thu, 30 April 2009 20:07 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: sip-ops@core3.amsl.com
Delivered-To: sip-ops@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A9643A6FFF; Thu, 30 Apr 2009 13:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.579
X-Spam-Level:
X-Spam-Status: No, score=-2.579 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, SPF_PASS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZA5zoODLZZT; Thu, 30 Apr 2009 13:07:08 -0700 (PDT)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 0BF253A7194; Thu, 30 Apr 2009 13:06:47 -0700 (PDT)
Received: from [172.16.3.231] (vicuna-alt.estacado.net [75.53.54.121]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id n3UK86pw038397 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 30 Apr 2009 15:08:06 -0500 (CDT) (envelope-from adam@nostrum.com)
Message-ID: <49FA0526.4010000@nostrum.com>
Date: Thu, 30 Apr 2009 15:08:06 -0500
From: Adam Roach <adam@nostrum.com>
User-Agent: Postbox 1.0b11 (Macintosh/2009041623)
MIME-Version: 1.0
To: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass (nostrum.com: 75.53.54.121 is authenticated by a trusted mechanism)
Cc: "sip-ops@ietf.org" <sip-ops@ietf.org>, "dispatch@ietf.org" <dispatch@ietf.org>, Hadriel Kaplan <HKaplan@acmepacket.com>
Subject: [sip-ops] [dispatch] SIP-CLF: Extensibility considerations (was Results on ASCII vs. binary representation)
X-BeenThere: sip-ops@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Operations <sip-ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-ops>, <mailto:sip-ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-ops>
List-Post: <mailto:sip-ops@ietf.org>
List-Help: <mailto:sip-ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-ops>, <mailto:sip-ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2009 20:07:09 -0000

Vijay K. Gurbani wrote:
> Hadriel Kaplan wrote:

>> But anyway, I think the real question that needs to be answered
>> *first* is "what is the purpose of the CLF?" What is it going to
>> help admins do? Is it for troubleshooting, or for registration audit
>> logging, or for IDS systems, etc?
>
>  From the list above, at least for troubleshooting, logging, and
> IDS systems. What I do not envision CLF being used for is
> debugging (distinct from troubleshooting) and CDR.

Even knowing the list of purposes, if we go with a text format similar 
to what is proposed, we are going to be forced to nail down the complete 
set of log record fields now, with little hope for backwards-compatible 
extensibility in the future. Admittedly, we *could* go to a tagged text 
format (e.g. where the fields are explicitly labeled instead of being 
inferred by position) to address this shortcoming, but that's not what's 
being proposed at the moment.

So, if we go down the path proposed in draft-gurbani-..., we're strapped 
with coming up with the perfect set of future-proof fields that 
encompasses everything anyone will ever need in the log file, while (at 
the same time) not including extraneous information that people don't 
want to bother generating and/or parsing.

The binary format I've proposed allows for exclusion of information the 
logging node doesn't consider relevant, as well as inclusion of 
information that we don't define at this time. For me, that's almost as 
big a win as the efficiency in searching a file for records of interest.

/a