logging, and on the results of documenting the audit records that were actually
sent by various programs. It is rather long, I'm afraid—but please read at
least the "issues" section; these lessons were learned the hard way, and any
plan that ignores them will fail.
Outline
- Issues:
- Any generic log parsing tool WILL need to handle unstructured text. Always.
- Any structured logging format WILL be used inconsistently.
- There WILL NOT be an universal field name namespace.
- Any generic log parsing tool WILL need to handle unstructured text. Always.
- You can only "trust" data that always comes from the same piece of code.
- Most log analysis code must specifically know what record it is working with.
- Structured logging formats can not deliver what they promise.
- Do not define new structured logging formats.
- Define an universal field syntax. Make it trivial to use.
- Treat unstructured text as the primary format, and optimize its use.
- ... but is it really worth it?