Friday, April 20, 2007

Who to sell log standards to?

Wednesday, Anton Chuvakin excitedly announced the imminent release of a new logging standard. If you know me, then you know that I like logs and log analysis and SIMs and all that. So I had questions for Dr. Chuvakin about CEE and how the new standard will attract smaller vendors and OSS projects.

PM: "I know the more boutique vendors that use standard logging formats the easier your life becomes. But ... how do you incent small and/or niche vendors to support a log standard that they weren't at the table to design?"

AC: "Nah, we are talking MUCH bigger players than boutique vendors ... just wait."

But when it comes to log standards and source-to-analyzer log flows, who cares about big players? LogLogic, ArcSight, Intellitactics, and everybody else in their field have developed and will continue to maintain transport and parsing code for Microsoft and Cisco logs, regardless of any standard. Why? They can't afford not to support the big players.

As I see it, the advantage of log standards is interoperability of third-party products. It costs SIM vendors a decent chunk of change in development and support cost to spin up support for new products. Standards make this proposition cheaper: one set of code to maintain, potentially hundreds of products supported. I've never had a problem with my SIM parsing EventLog properly. It's vsftpd with log_ftp_protocol set that makes my SIM cough up 1-field hairballs of syslog goo.

So how to sell log standards to small vendors and open source developers so that SIM's can do a better job? That's a tough question, and I don't know the best answer. But I am fairly confident that for today at least, that's where the value of logging standards lies.

No comments: