doing syslog-like things on windows

Jim Lancaster jlancaster at sagiss.com
Fri Mar 5 15:06:05 CET 2004 

Thank you very much for your reply.  I will check out the loganalysis
lists.

[snip]

> First of all: can I quote you on a public forum?  :)
 
By all means. <g>

> To me it seems like you've reimplemented Unix syslog plus 
> some extra stuff for Windows.  But I'm not a Windows expert, 
> and hardly qualify as a syslog expert.  I'm pretty sure the 
> people on loganalysis at lists.shmoo.com (see 
> http://lists.shmoo.com/mailman/listinfo/logana> lysis ) can say 
> much more sane things about what you've 
> done.

Perhaps, but my intent was to build an 'agent' framework that performed
a few basic tasks *before* handing the results off to a syslog service.
The agent framework: (I have attached a PDF diagram.)

[Attach to logfile]->( [Read events]->[Normalize/validate]->[Filter]
)->[output]

The [output] can be to a file, or handed off to a transport mechanism to
send it back to central (Lire?) server. My intention is to separate the
'agent' from the 'transport' mechanism for two reasons: (1) The agent
could be completely language/platform independent, and (2) the transport
mechanism could be SOAP, or syslog, BEEP, or whatever--completely
independent of the agent AND the analysis/reporting engine.

The [Access logfile] would be (but is not yet) a perl module that
handles all the variations in log file types, naming schemes, rollover
schemes, etc.  Its sole function is to create a starting point for the
main body of the agent to begin processing events.  The intention is to
simplify agent creation by isolating this messy part from the main work
the agent has to do.

I did not know of Lire when I isolated the [Normalize/validate]
procedure in my design. However, when I came to understand the
conceptual design of Lire, I saw immediately that the Lire definition of
"normalization" could be substituted for my own.  Normalizing to a DLF
would provide me access to all of the wonderful analysis & reporting
work that you have already done.  It is this part that has so excited me
that I'm making a pest of myself. <g>  However, my design would require
pushing the normalization process out to the agent.  I'm not sure what
impact that would have on Lire.

Finally, by allowing the agent to [Filter] out uninteresting events, I
should be able to 'throttle-back' the amount of data that is being
transmitted to the server.  There is just so much noise in a typical
logfile that is of limited use.

[snip]

Thanks again for your patience. Your professional opinion is very
valuable to me.

Jim


***************** Announcement *****************
We are pleased to announce that we have officially changed our name to Sagiss, LLC. Please update my e-mail address and contact information in your records to reflect our new domain name, "sagiss.com."
Our mailing address and phone numbers will remain the same.

To find out more, please visit our website: http://www.sagiss.com, or call us at 214-989-0440

-- 
To UNSUBSCRIBE, email to questions-request at logreport.org with a subject of 
"unsubscribe". Trouble? Send an email with subject "help" to 
questions-request at logreport.org

More information about the Questions mailing list