[Sipping] Meeting Minutes: Ad-hoc Common Log Format meeting

Hadriel Kaplan <HKaplan@acmepacket.com> Fri, 27 March 2009 13:41 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: sipping@core3.amsl.com
Delivered-To: sipping@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id B3D0E28C176 for <sipping@core3.amsl.com>; Fri, 27 Mar 2009 06:41:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.537
X-Spam-Status: No, score=-2.537 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id yevKsxTPjXir for <sipping@core3.amsl.com>; Fri, 27 Mar 2009 06:41:11 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com []) by core3.amsl.com (Postfix) with ESMTP id AC26628C16D for <sipping@ietf.org>; Fri, 27 Mar 2009 06:41:11 -0700 (PDT)
Received: from mail.acmepacket.com ( by etmail.acmepacket.com ( with Microsoft SMTP Server (TLS) id 8.1.340.0; Fri, 27 Mar 2009 09:42:05 -0400
Received: from mail.acmepacket.com ([]) by mail ([]) with mapi; Fri, 27 Mar 2009 09:42:05 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: "sipping@ietf.org" <sipping@ietf.org>
Date: Fri, 27 Mar 2009 09:42:08 -0400
Thread-Topic: Meeting Minutes: Ad-hoc Common Log Format meeting
Thread-Index: Acmu4WY9jJXyd6vWTaygOVUW6YRECQ==
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC314FF20859B@mail>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [Sipping] Meeting Minutes: Ad-hoc Common Log Format meeting
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipping>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2009 13:41:12 -0000

[re-send to fix email subject line]
Below are the rough minutes of the Sipping CLF Ad-Hoc meeting.
I'm sure I missed some people's comments (I don't touch-type) - if you find I missed yours please email me and I'll update this.
I also tried to record what I felt was consensus on specific issues, but this is clearly just subjective commentary and this was only an ad-hoc and no hmmm's were taken, etc.

Begin ------------------------------
Ad-hoc Common-Log-File format meeting
Thursday, March 26, 2009

Attendees: many, many (room is packed)

Eric Burger: [gave intro (go read ppt slides)]: Goal is to have usable log file format for tools, but not for billing nor a replacement for syslog or CDR's

Francois: if I'm already doing CDR, why bother doing this?

Umberto: Tools which do stateful parsing of SIP protocol would like this, for example anomaly/problem/IDS type things 

Hadriel: but this log file format isn't nearly enough info/detail for that

Vijay: but we can add them or argue about what we need

Adam Roach: ascii fixed format or space delimited is not efficient and tough to extend

Daryl: how will we get enough detail, compared to CDR's/wireshark?

Vijay: we think the 11 currently defined CLF headers are enough, but we want to learn if others agree

Jiri: is this per message, or per transaction - what about retransmissions?

Daryl: we'll need more detail, for example retransmissions may be important to log for troubleshooting

Vijay: We weren't thinking this will record retransmissions

Daryl: how do we correlate routed requests if b2bua's change call-id?

Dean: stateless proxies will create multiple entries for retransmissions, no matter what

Jason Fishl: no biggie - it records multiple times and we don't need to care

[I think consensus reached: don't need to worry about stateless proxies doing/needing something different]

Daryl: performance is a big deal, it will be some off-box process in some cases because impact on run-time systems won't cut it

Adam R: really we need a TLV-type format, something binary/fast to write and fast to read, so you can seek and skip large chunks fast, and have optionality

[Someone else]: and something which can record enough for troubleshooting and the like

Hadriel: the only thing useful for that would be pcap format

Francois: update the draft for format issues, because it's not decided yet and I'm not sure the format is right

Vijay: are the current fields necessary and/or sufficient?

Hadriel: insufficient fields in current CLF

Adam: we need optional extensibility, because we'll never figure out the right fields right now

Dale: To and From URI may not be useful

Derek: need sub-second accuracy, not just seconds

[people agree with that - I think consensus reached on that]

Vijay: some security folks want privacy of IP/identity

Daryl/Martin: nope, do post-processing to anonymize if you want, but the logs need to show it all

Vijay: ok, we won't anonymize anything in the CLF

[consensus reached: not important]

Vijay: what about the issues with rfc3841, where UAC can make proxy act different

Many people: don't care about that, not an issue

[consensus reached: not important]

Last words: need to update draft, discuss on mailing list