Re: [Syslog] draft-cloud-log-00 / CEE - why not IPFIX?
"Rainer Gerhards" <rgerhards@hq.adiscon.com> Wed, 16 February 2011 10:39 UTC
Return-Path: <rgerhards@hq.adiscon.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0D7CA3A6DF8 for <syslog@core3.amsl.com>; Wed, 16 Feb 2011 02:39:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZWw5rYlnz-V for <syslog@core3.amsl.com>; Wed, 16 Feb 2011 02:39:18 -0800 (PST)
Received: from vmmail.adiscon.com (vmmail.adiscon.com [178.63.79.189]) by core3.amsl.com (Postfix) with ESMTP id 97F8E3A6DEA for <syslog@ietf.org>; Wed, 16 Feb 2011 02:39:18 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by vmmail.adiscon.com (Postfix) with ESMTP id C16E474A478; Wed, 16 Feb 2011 11:39:44 +0100 (CET)
Received: from vmmail.adiscon.com ([127.0.0.1]) by localhost (vmmail.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yksyx456kXvS; Wed, 16 Feb 2011 11:39:44 +0100 (CET)
Received: from GRFEXC.intern.adiscon.com (pd95c774a.dip0.t-ipconnect.de [217.92.119.74]) by vmmail.adiscon.com (Postfix) with ESMTPA id 8D82774A470; Wed, 16 Feb 2011 11:39:44 +0100 (CET)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 16 Feb 2011 11:39:43 +0100
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDC71@GRFEXC.intern.adiscon.com>
In-Reply-To: <4D5BA85B.7040007@unfix.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] draft-cloud-log-00 / CEE - why not IPFIX?
Thread-Index: AcvNxTiINNQbVAD0QfeO4cX+AjASbwAAFsNw
References: <4D5A60C8.3090000@unfix.org><93ED0A84F9A1D74FA65021D940AA588405446C41F9@IMCMBX3.MITRE.ORG> <4D5BA85B.7040007@unfix.org>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: Jeroen Massar <jeroen@unfix.org>, "Heinbockel, Bill" <heinbockel@mitre.org>
Cc: Sam Johnston <sj@google.com>, cee@mitre.org, syslog@ietf.org
Subject: Re: [Syslog] draft-cloud-log-00 / CEE - why not IPFIX?
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 10:39:20 -0000
The SIP CLF WG has just recently rejected IPFIX for it being binary and chosen indexed ASCII instead for their format. Their reasoning (after a long struggle) is probably educating: http://www.ietf.org/mail-archive/web/sip-clf/current/msg00364.html I don't think that IPFIX is a good solution *in the syslog context*. It is very far from what people expect. Other than that, I'd probably need to re-iterate the arguments made on the SIP CLF mailing list, so it probably is better to refer to their archive ;) Rainer > -----Original Message----- > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On > Behalf Of Jeroen Massar > Sent: Wednesday, February 16, 2011 11:35 AM > To: Heinbockel, Bill > Cc: Sam Johnston; cee@mitre.org; syslog@ietf.org > Subject: Re: [Syslog] draft-cloud-log-00 / CEE - why not IPFIX? > > On 2011-02-16 06:21, Heinbockel, Bill wrote: > > From what I understand, IPFIX is for expression of IP flows from > network sensing > > devices. > > For a short bit forget about the history of IPFIX, it indeed comes from > NetFlow, and thus is used quite in a network centric way, but > effectively it is a structured streaming data format. > > > Could you please explain how IPFIX is relevant to event and cloud > logging data? > > I understand how CEE and IPFIX may overlap for describing networking > events, but > > it is unclear to me how IPFIX could handle things like Windows Event > Logs and > > RHEL audit logs. > > There are two parts to IPFIX: Templates + Data > > The template describes how the data looks like, for instance, lets take > an Apache CLF log entry: > > 66.249.66.174 - - [16/Feb/2011:10:48:11 +0100] "GET /robots.txt > HTTP/1.1" 200 2629 "-" "Googlebot-Image/0" > > We can make an IPFIX template for that > > [ > {4, IPv4_SRC }, > {4, TIMESTAMP}, > {4, HTTP_METHOD}, > {v, URL}, > {v, HTTP_PROTOCOL}, > {2, HTTP_RESULT}, > {8, OCTETS}, > {v, HTTP_REFER}, > {v, HTTP_USERAGENT}, > ] > > The 'v' markers indicate variable fieldlengths, the others indicates > the > number of bytes such a field takes. The data is then just encoded in > the > above format, presto. > > The above is a simple example, one can also have repeating lists and of > course you could make a variable template which just includes the > fields > that you actually want to look at or you could already do some > aggregation and add other fields. Templates are only sent every now and > then, as they should not change. The data is the important bit. > > The fieldnames are actually numbers in the data, thus very compact, and > are mapped to descriptions, data types etc, per a nice XML file > http://www.iana.org/assignments/ipfix/ipfix.xml (or .xhtml or .txt for > a more human readable version ;) for the official IANA list and with > the > help of Enterprise IDs any others can easily be added. > > The big advantage is that you can more or less do static templates if > you want and you only need one single parser on the collector side, > thus > one does not have to create another parser and collector again for > decoding other protocols, just one, the IPFIX one, and you can optimize > that really well for all kinds of scenarios. > > Greets, > Jeroen > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] draft-cloud-log-00 / CEE - why not IPFIX? Jeroen Massar
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Jeroen Massar
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Rainer Gerhards
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Jeroen Massar
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Rainer Gerhards
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Jeroen Massar
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Heinbockel, Bill
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Dan Schlitt
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Gene Golovinsky