Re: [Syslog] Small draft for Syslog File Storage?

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Wed, 10 November 2010 07:38 UTC

Return-Path: <rgerhards@hq.adiscon.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECD8A3A6802 for <syslog@core3.amsl.com>; Tue, 9 Nov 2010 23:38:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ps4xHlTkN2HW for <syslog@core3.amsl.com>; Tue, 9 Nov 2010 23:38:26 -0800 (PST)
Received: from vmmail.adiscon.com (vmmail.adiscon.com [178.63.79.189]) by core3.amsl.com (Postfix) with ESMTP id 361FB3A67C2 for <syslog@ietf.org>; Tue, 9 Nov 2010 23:38:24 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by vmmail.adiscon.com (Postfix) with ESMTP id 5C3B274A470; Wed, 10 Nov 2010 08:38:50 +0100 (CET)
Received: from vmmail.adiscon.com ([127.0.0.1]) by localhost (vmmail.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1UWh1nXm9D-K; Wed, 10 Nov 2010 08:38:50 +0100 (CET)
Received: from GRFEXC.intern.adiscon.com (pd95c774a.dip0.t-ipconnect.de [217.92.119.74]) by vmmail.adiscon.com (Postfix) with ESMTPA id 258CC74A46D; Wed, 10 Nov 2010 08:38:50 +0100 (CET)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 10 Nov 2010 08:38:51 +0100
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD6C8@GRFEXC.intern.adiscon.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Small draft for Syslog File Storage?
Thread-Index: AcuAn+bP3HAgEVt4R0ibTtuACoge8QAA4QLwAAFFPpA=
References: <9B6E2A8877C38245BFB15CC491A11DA71DD6C5@GRFEXC.intern.adiscon.com> <108C7C8C45254453AB931B12C5E247A6@23FX1C1>
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
To: "David Harrington" <ietfdbh@comcast.net>, <syslog@ietf.org>
Subject: Re: [Syslog] Small draft for Syslog File Storage?
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 07:38:28 -0000

> -----Original Message-----
> From: David Harrington [mailto:ietfdbh@comcast.net]
> Sent: Wednesday, November 10, 2010 7:52 AM
> To: Rainer Gerhards; syslog@ietf.org
> Subject: RE: [Syslog] Small draft for Syslog File Storage?

Good questions, as usual. Obviously I have only one voice here, so for the
most part, I do not know. Would the OPS area be the right area to ask this in
addition to here?

My question was motivated by the Mitre CEE effort:

http://cee.mitre.org/

In very short words, CEE tries to define a standard event format, where what
syslog carries is a subset of the events possible. CEE will also define
syntaxes for log storage. We will most probably support XML, CSV, JSON and
syslog, with syslog being the only format where only a on-the-wire but no
file format standard exists.

I am on the CEE board and one thing we currently try to accomplish is define
a CEE-to-syslog mapping. There are a couple of the larger vendors interested
in logging on the board and the overall consensus seems to be that text files
play an important role when it comes to

a) storing log messages
b) feeding log messages into analysis backends

My own experience in the Linux environment and working with larger users
confirms that. I have some very large customers (which I cannot name due to
NDA) which store logs in (zipped) text file format because any other store is
impractical for their needs. Of course, that doesn't exclude representations
of other subsets in other formats for other needs.

I will try to gather feedback at least from the CEE community, but would
appreciate comments from others as well.

Rainer

> How many syslog sender/receiver implementers would be willing to
> support such a common format?
> 
> How many log anaysis application vendors would like such a common
> format? or do they consider it unneccesray because they convert
> incoming info into their own proprietary database formats anyway?
> 
> dbh
> 
> > -----Original Message-----
> > From: syslog-bounces@ietf.org
> > [mailto:syslog-bounces@ietf.org] On Behalf Of Rainer Gerhards
> > Sent: Wednesday, November 10, 2010 2:24 PM
> > To: syslog@ietf.org
> > Subject: [Syslog] Small draft for Syslog File Storage?
> >
> > Hi all,
> >
> > In what we did, we specified the on-the-wire format. However,
> > we did not
> > specify any format to use when persisting syslog data to a file.
> >
> > Note that we were very generous when specifying the
> > on-the-wire format, for
> > example we permit LF, CR, NUL and many other characters
> > considered dangerous
> > in file formats.
> >
> > There are many tools available which interpret syslog data
> > stored in text
> > files. However, different syslog implementations may use
> > slightly different
> > file formats.
> >
> > Together with the control character issue, the file format
> > question both has
> > interoperability AND security issues. I think these would be
> > very easy to fix
> > if we write a small RFC that specifies how text is to be
> > encoded. It would be
> > similar, but much smaller to RFC4627 (JSON). Actually, I
> > think we would need
> > to carry over primarily its section 2.5.
> >
> > I would volunteer to write an initial draft, but would first
> > like to get some
> > feedback if this effort has any chance of getting through.
> >
> > Rainer
> > _______________________________________________
> > Syslog mailing list
> > Syslog@ietf.org
> > https://www.ietf.org/mailman/listinfo/syslog