Re: [Syslog] I-D Action:draft-cloud-log-01.txt (fwd)

Gene Golovinsky <> Mon, 21 March 2011 12:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A08BF28C10E for <>; Mon, 21 Mar 2011 05:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.265
X-Spam-Status: No, score=-3.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ASWyPYEAFnCO for <>; Mon, 21 Mar 2011 05:27:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 25D953A6840 for <>; Mon, 21 Mar 2011 05:27:42 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by (SMTP Server) with ESMTP id 82911188249; Mon, 21 Mar 2011 08:29:14 -0400 (EDT)
X-Virus-Scanned: OK
Received: from ( []) by (SMTP Server) with ESMTPS id 624DB188237; Mon, 21 Mar 2011 08:29:14 -0400 (EDT)
Received: from ([]) by ([]) with mapi; Mon, 21 Mar 2011 07:29:14 -0500
From: Gene Golovinsky <>
To: Raffael Marty <>, Chris Lonvick <>, "" <>
Date: Mon, 21 Mar 2011 07:29:13 -0500
Thread-Topic: [Syslog] I-D Action:draft-cloud-log-01.txt (fwd)
Thread-Index: AcvmvoDTTcB27jyrR0GAfi8ZsJTE6ABAhi2A
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [Syslog] I-D Action:draft-cloud-log-01.txt (fwd)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Mar 2011 12:27:44 -0000

I have responded to your blog post in a private e-mail a few weeks ago.

There are two aspects here that I feel need addressing.

1. If I take your statement that that standardization of logging in the cloud is not needed than conversation about technical merits of the proposal is completely irrelevant! Why even bother working out the correct technical solution if the problem does not even exist?
2. I completely agree that we need ONE standard. We actually already have it - Syslog.

CloudLog is an extension to Syslog and using exiting and well defined Syslog facilities. You are proposing CEE instead, which cannot really be easily mapped to Syslog hence all existing facilities will not work.

I would also argue that CloudLog is really a protocol, while CEE looks rather like a data model to me.

If anything they are rather orthogonal to each other. 

I completely disagree that Cloud is not special. Like any other new IT deployment, Cloud brings a slew of new and previously not considered uses cases. Those use cases are discussed in the latest rev of the draft.
One size fits all has never worked and never will.
As new technology gets developed new methodologies and protocols are needed.
With rapid adoption of Cloud deployments - SaaS, PaaS and IaaS - we need protocols and methodologies to manage and monitor them.
Even exiting traditional security solutions don't really work with Cloud deployments  as, for example, with IaaS traditional NIDS does not have access to the network traffic.
Same applies to logging. Your usage and access paradigm is changed and logging of them needs to keep up. 


-----Original Message-----
From: [] On Behalf Of Raffael Marty
Sent: Sunday, March 20, 2011 12:06 AM
To: Chris Lonvick
Subject: Re: [Syslog] I-D Action:draft-cloud-log-01.txt (fwd)

Chris et al.

I have written a technical review of why a cloud logging standard doesn't make any sense here:


Aside from the many many shortcomings that are addressed in my blog post, standardizing cloud logging is like saying we are going to write a standard for mobile phone logging, one for green data center initiatives, one for virtualization, etc. We need one standard. The cloud is not special. It's a virtualized, distributed, asynchronous environment. We need to add these (and other) use-cases to an existing or a new logging standard, but not create a variety of different use-cases. Let's define what the cloud use-case demands and add it as a requirement to some other standard.

Please consider this when looking at the cloud-draft.

Thank you!


Raffael Marty                          Founder and COO @ Loggly

On Mar 16, 2011, at 6:37 AM, Chris Lonvick wrote:

> Hi Folks,
> Just passing this along.
> Thanks,
> Chris
> ---------- Forwarded message ----------
> Date: Mon, 14 Mar 2011 14:45:09 -0700
> From:
> To:
> Subject: I-D Action:draft-cloud-log-01.txt
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> 	Title           : Syslog Extension for Cloud Using Syslog Structured Data
> 	Author(s)       : G. Golovinsky, et al.
> 	Filename        : draft-cloud-log-01.txt
> 	Pages           : 11
> 	Date            : 2011-03-14
> This document provides an open and extensible log format to be used by 
> any cloud entity or cloud application to log and trace activities that 
> occur in the cloud.  It is equally applicable for cloud infrastructure 
> (IaaS), platform (PaaS), and application (SaaS) services.  CloudLog is 
> defferent in content, but not in nature from the traditional logging 
> as it takes in account transient nature of identities and resources in 
> the cloud.
> A URL for this Internet-Draft is:
> Internet-Drafts are also available by anonymous FTP at:
> Below is the data which will enable a MIME compliant mail reader 
> implementation to automatically retrieve the ASCII version of the 
> Internet-Draft.<Mail Attachment><Mail 
> Attachment.txt>_______________________________________________
> Syslog mailing list

Syslog mailing list