LogAnalysis
[logs] ugliest application logs ever? Jan 24 2008 02:14AM
Anton Chuvakin (anton chuvakin org) (5 replies)
Re: [logs] ugliest application logs ever? Jan 24 2008 09:12PM
Leo D. Geoffrion (ldg skidmore edu) (1 replies)
RE: [logs] ugliest application logs ever? Jan 24 2008 10:50PM
Tina Bird (tbird precision-guesswork com)
Re: [logs] ugliest application logs ever? Jan 24 2008 07:52PM
Jason Lewis (jlewis packetnexus com) (1 replies)
Re: [logs] ugliest application logs ever? Jan 24 2008 09:29PM
Andrew Hay (andrewsmhay gmail com)
I'm with Anton. I'm a big fan of name value pairs because they're clean and
easy to interpret. I also prefer tab delimiters because it's esthetically
pleasing :)

On 24/01/2008, Jason Lewis <jlewis (at) packetnexus (dot) com [email concealed]> wrote:
>
> I don't know about ugly, but logs that are difficult to parse suck.
>
> Netscreen:
> messages:Dec 17 09:35:27 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
> system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
> duration=4 policy_id=0 service=tcp/port:8000 proto
> =6 src zone=Trust dst zone=Untrust action=Permit sent=715 rcvd=6561
> src=10.14.94.221 dst=10.14.90.217 src_port=1039 dst_port=8000 translated
> ip=10.14.93.7 port=1217
> messages:Dec 17 09:35:27 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
> system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
> duration=4 policy_id=0 service=tcp/port:8000 proto
> =6 src zone=Trust dst zone=Untrust action=Permit sent=651 rcvd=2782
> src=10.14.94.221 dst=10.14.90.217 src_port=1040 dst_port=8000 translated
> ip=10.14.93.7 port=1218
>
> There isn't a good delimiter to break the log up, so it requires an
> custom regex. Trying to use a space is a nightmare. Give me something
> so I can quickly grab only what I need. I like pipe delimited.
>
> jas
>
>
> Anton Chuvakin wrote:
> > All,
> >
> > Ah, long time - no post! :-)
> >
> > I wanted to turn this into a formal contest but figured I'd poll the
> > list first: what are the ugliest, most useless application logs that
> > you've seen? Logs that defy log analysis, that are full of numeric
> > codes not explained anywhere? Logs that don't say what they mean (and
> > vice versa)? Logs that omit the most critical piece of info?
> >
> > Here is my example:
> >
> > |22:22:32|BTC| 7|000|DDIC | |R49|Communication error, CPIC
> > return code 020, <application> return code 456
> >
> > Why it sux: numeric codes (twice), ambiguous language, no sense of
> > priority, etc.
> >
> > More?
> >
> > Best,
> >
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

--
Andrew Hay
blog: http://www.andrewhay.ca
email: andrewsmhay || at || gmail.com
LinkedIn Profile: http://www.linkedin.com/in/andrewhay
I'm with Anton. I'm a big fan of name value pairs because they're clean and easy to interpret. I also prefer tab delimiters because it's esthetically pleasing :)<br><br><div><span class="gmail_quote">On 24/01/2008,
<b class="gmail_sendername">Jason Lewis</b> <<a href="mailto:jlewis (at) packetnexus (dot) com [email concealed]">jlewis (at) packetnexus (dot) com [email concealed]</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I don't know about ugly, but logs that are difficult to parse suck.<br><br>Netscreen:<br>messages:Dec 17 09:35:27 <a href="http://10.14.93.7">10.14.93.7</a> ns5xp: NetScreen device_id=ns5xp<br>system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
<br>duration=4 policy_id=0 service=tcp/port:8000 proto<br>=6 src zone=Trust dst zone=Untrust action=Permit sent=715 rcvd=6561<br>src=<a href="http://10.14.94.221">10.14.94.221</a> dst=<a href="http://10.14.90.217">10.14.90.217
</a> src_port=1039 dst_port=8000 translated<br>ip=<a href="http://10.14.93.7">10.14.93.7</a> port=1217<br>messages:Dec 17 09:35:27 <a href="http://10.14.93.7">10.14.93.7</a> ns5xp: NetScreen device_id=ns5xp<br>system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
<br>duration=4 policy_id=0 service=tcp/port:8000 proto<br>=6 src zone=Trust dst zone=Untrust action=Permit sent=651 rcvd=2782<br>src=<a href="http://10.14.94.221">10.14.94.221</a> dst=<a href="http://10.14.90.217">10.14.90.217
</a> src_port=1040 dst_port=8000 translated<br>ip=<a href="http://10.14.93.7">10.14.93.7</a> port=1218<br><br>There isn't a good delimiter to break the log up, so it requires an<br>custom regex.  Trying to use a space is a nightmare.  Give me something
<br>so I can quickly grab only what I need. I like pipe delimited.<br><br>jas<br><br><br>Anton Chuvakin wrote:<br>> All,<br>><br>> Ah, long time - no post! :-)<br>><br>> I wanted to turn this into a formal contest but figured I'd poll the
<br>> list first: what are the ugliest, most useless application logs that<br>> you've seen? Logs that defy log analysis, that are full of numeric<br>> codes not explained anywhere? Logs that don't say what they mean (and
<br>> vice versa)? Logs that omit the most critical piece of info?<br>><br>> Here is my example:<br>><br>> |22:22:32|BTC| 7|000|DDIC        |  &
nbsp; |R49|Communication error, CPIC<br>> return code 020, <application> return code 456
<br>><br>> Why it sux: numeric codes (twice), ambiguous language, no sense of<br>> priority, etc.<br>><br>> More?<br>><br>> Best,<br>><br>_______________________________________________<br>LogA
nalysis mailing list
<br><a href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
><br><a href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</a><br></blockquote>
</div><br><br clear="all"><br>-- <br>Andrew Hay<br>blog: <a href="http://www.andrewhay.ca">http://www.andrewhay.ca</a><br>email: andrewsmhay || at || <a href="http://gmail.com">gmail.com</a><br>LinkedIn Profile: <a href="http://www.linkedin.com/in/andrewhay">
http://www.linkedin.com/in/andrewhay</a>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] ugliest application logs ever? Jan 24 2008 02:18PM
David Corlette (DCorlette novell com) (3 replies)
RE: [logs] ugliest application logs ever? Jan 25 2008 12:51AM
Mark Poepping (poepping cmu edu) (1 replies)
Re: [logs] ugliest application logs ever? Jan 25 2008 02:50AM
Matt Cuttler (mcuttler bnl gov)
Re: [logs] ugliest application logs ever? Jan 24 2008 07:53PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] ugliest application logs ever? Jan 24 2008 07:43PM
Anton Chuvakin (anton chuvakin org)
Re: [logs] ugliest application logs ever? Jan 24 2008 06:21AM
John Kinsella (jlk thrashyour com) (3 replies)
RE: [logs] ugliest application logs ever? Jan 24 2008 03:47PM
Fenwick, Wynn (wynn fenwick cgi com) (1 replies)
Re: [logs] ugliest application logs ever? Jan 24 2008 08:38PM
Patrick Whalen (pwhalen rescomp com)
RE: [logs] ugliest application logs ever? Jan 24 2008 02:58PM
Paul Melson (pmelson gmail com)
Re: [logs] ugliest application logs ever? Jan 24 2008 12:47PM
Matt Cuttler (mcuttler bnl gov) (2 replies)
RE: [logs] ugliest application logs ever? Jan 24 2008 08:09PM
Rainer Gerhards (rgerhards hq adiscon com) (1 replies)
Re: [logs] ugliest application logs ever? Jan 24 2008 10:13PM
Daniel Cid (dcid ossec net)
Re: [logs] ugliest application logs ever? Jan 24 2008 07:17PM
Andrew Hay (andrewsmhay gmail com)
RE: [logs] ugliest application logs ever? Jan 24 2008 05:00AM
Tina Bird (tbird precision-guesswork com) (2 replies)
Re: [logs] ugliest application logs ever? Jan 24 2008 10:41PM
Jason Haar (Jason Haar trimble co nz)
RE: [logs] ugliest application logs ever? Jan 24 2008 05:23AM
Marcus J. Ranum (mjr ranum com) (2 replies)
Re: [logs] ugliest application logs ever? Jan 29 2008 03:06AM
Mordechai T. Abzug (morty frakir org) (1 replies)
[logs] Log Generator Jan 29 2008 06:17AM
harshad mengle wipro com (2 replies)
Re: [logs] Log Generator Jan 29 2008 03:26PM
Jim Prewett (download hpc unm edu) (2 replies)
RE: [logs] Log Generator Jan 29 2008 07:52PM
Clayton Dukes (cdukes) (cdukes cisco com) (1 replies)
RE: [logs] Log Generator Jan 29 2008 08:39PM
Marcus J. Ranum (mjr ranum com) (1 replies)
Re: [logs] Log Generator Jan 30 2008 08:33PM
Tom Le (dottom gmail com)
RE: [logs] Log Generator Jan 29 2008 03:31PM
harshad mengle wipro com
RE: [logs] Log Generator Jan 29 2008 03:00PM
Clayton Dukes (cdukes) (cdukes cisco com)
Re: [logs] ugliest application logs ever? Jan 24 2008 01:52PM
Tim Sailer (sailer bnl gov)


 

Privacy Statement
Copyright 2010, SecurityFocus