Re: [Syslog] draft-cloud-log-00 / CEE - why not IPFIX?
Jeroen Massar <jeroen@unfix.org> Wed, 16 February 2011 10:34 UTC
Return-Path: <jeroen@unfix.org>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FD173A6DD2 for <syslog@core3.amsl.com>; Wed, 16 Feb 2011 02:34:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.996
X-Spam-Level:
X-Spam-Status: No, score=-101.996 tagged_above=-999 required=5 tests=[AWL=0.604, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cxFejZx3YPJ for <syslog@core3.amsl.com>; Wed, 16 Feb 2011 02:34:27 -0800 (PST)
Received: from abaddon.unfix.org (abaddon.unfix.org [62.220.146.203]) by core3.amsl.com (Postfix) with ESMTP id D289D3A6B59 for <syslog@ietf.org>; Wed, 16 Feb 2011 02:34:26 -0800 (PST)
Received: from [IPv6:2001:41e0:ff42:99:222:cfff:fe31:ce41] (spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:99:222:cfff:fe31:ce41]) (using SSLv3 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 48ECB20B3E; Wed, 16 Feb 2011 11:34:19 +0100 (CET)
Message-ID: <4D5BA85B.7040007@unfix.org>
Date: Wed, 16 Feb 2011 11:35:07 +0100
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: "Heinbockel, Bill" <heinbockel@mitre.org>
References: <4D5A60C8.3090000@unfix.org> <93ED0A84F9A1D74FA65021D940AA588405446C41F9@IMCMBX3.MITRE.ORG>
In-Reply-To: <93ED0A84F9A1D74FA65021D940AA588405446C41F9@IMCMBX3.MITRE.ORG>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Sam Johnston <sj@google.com>, cee@mitre.org, syslog@ietf.org
Subject: Re: [Syslog] draft-cloud-log-00 / CEE - why not IPFIX?
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 10:34:28 -0000
On 2011-02-16 06:21, Heinbockel, Bill wrote: > From what I understand, IPFIX is for expression of IP flows from network sensing > devices. For a short bit forget about the history of IPFIX, it indeed comes from NetFlow, and thus is used quite in a network centric way, but effectively it is a structured streaming data format. > Could you please explain how IPFIX is relevant to event and cloud logging data? > I understand how CEE and IPFIX may overlap for describing networking events, but > it is unclear to me how IPFIX could handle things like Windows Event Logs and > RHEL audit logs. There are two parts to IPFIX: Templates + Data The template describes how the data looks like, for instance, lets take an Apache CLF log entry: 66.249.66.174 - - [16/Feb/2011:10:48:11 +0100] "GET /robots.txt HTTP/1.1" 200 2629 "-" "Googlebot-Image/0" We can make an IPFIX template for that [ {4, IPv4_SRC }, {4, TIMESTAMP}, {4, HTTP_METHOD}, {v, URL}, {v, HTTP_PROTOCOL}, {2, HTTP_RESULT}, {8, OCTETS}, {v, HTTP_REFER}, {v, HTTP_USERAGENT}, ] The 'v' markers indicate variable fieldlengths, the others indicates the number of bytes such a field takes. The data is then just encoded in the above format, presto. The above is a simple example, one can also have repeating lists and of course you could make a variable template which just includes the fields that you actually want to look at or you could already do some aggregation and add other fields. Templates are only sent every now and then, as they should not change. The data is the important bit. The fieldnames are actually numbers in the data, thus very compact, and are mapped to descriptions, data types etc, per a nice XML file http://www.iana.org/assignments/ipfix/ipfix.xml (or .xhtml or .txt for a more human readable version ;) for the official IANA list and with the help of Enterprise IDs any others can easily be added. The big advantage is that you can more or less do static templates if you want and you only need one single parser on the collector side, thus one does not have to create another parser and collector again for decoding other protocols, just one, the IPFIX one, and you can optimize that really well for all kinds of scenarios. Greets, Jeroen
- [Syslog] draft-cloud-log-00 / CEE - why not IPFIX? Jeroen Massar
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Jeroen Massar
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Rainer Gerhards
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Jeroen Massar
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Rainer Gerhards
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Jeroen Massar
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Heinbockel, Bill
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Dan Schlitt
- Re: [Syslog] draft-cloud-log-00 / CEE - why not I… Gene Golovinsky