LogAnalysis
Re: [logs] ugliest application logs ever? Jan 24 2008 10:20PM
Jason Lewis (jlewis packetnexus com)
Except they didn't standardize the keys....

proto=6 src zone=Trust dst zone=Untrust action=Permit

There is a space before zone that hoses things up.

Dilley, Ron wrote:
> Jas,
>
> This does not look too bad as long as you don?t use regex to parse it.
>
> Key=value all the way . . .
>
> Ron
>
>
>
> On 1/24/08 11:52 AM, "Jason Lewis" <jlewis (at) packetnexus (dot) com [email concealed]> wrote:
>
> I don't know about ugly, but logs that are difficult to parse suck.
>
> Netscreen:
> messages:Dec 17 09:35:27 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
> system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
> duration=4 policy_id=0 service=tcp/port:8000 proto
> =6 src zone=Trust dst zone=Untrust action=Permit sent=715 rcvd=6561
> src=10.14.94.221 dst=10.14.90.217 src_port=1039 dst_port=8000
> translated
> ip=10.14.93.7 port=1217
> messages:Dec 17 09:35:27 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
> system-notification-00257(traffic): start_time="2002-12-17 09:40:18"
> duration=4 policy_id=0 service=tcp/port:8000 proto
> =6 src zone=Trust dst zone=Untrust action=Permit sent=651 rcvd=2782
> src=10.14.94.221 dst=10.14.90.217 src_port=1040 dst_port=8000
> translated
> ip=10.14.93.7 port=1218
>
> There isn't a good delimiter to break the log up, so it requires an
> custom regex. Trying to use a space is a nightmare. Give me something
> so I can quickly grab only what I need. I like pipe delimited.
>
> jas
>
>
> Anton Chuvakin wrote:
> > All,
> >
> > Ah, long time - no post! :-)
> >
> > I wanted to turn this into a formal contest but figured I'd poll the
> > list first: what are the ugliest, most useless application logs that
> > you've seen? Logs that defy log analysis, that are full of numeric
> > codes not explained anywhere? Logs that don't say what they mean (and
> > vice versa)? Logs that omit the most critical piece of info?
> >
> > Here is my example:
> >
> > |22:22:32|BTC| 7|000|DDIC | |R49|Communication error, CPIC
> > return code 020, <application> return code 456
> >
> > Why it sux: numeric codes (twice), ambiguous language, no sense of
> > priority, etc.
> >
> > More?
> >
> > Best,
> >
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus