SIP Common Log Format (sipclf) ------------------------------ Charter Last Modified: 2009-09-15 Current Status: Active Working Group Chair(s): Spencer Dawkins Theo Zourzouvillys Real-time Applications and Infrastructure Area Director(s): Robert Sparks Cullen Jennings Real-time Applications and Infrastructure Area Advisor: Robert Sparks Technical Advisor(s): David Harrington Mailing Lists: General Discussion:sip-clf@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/sip-clf Archive: http://www.ietf.org/mail-archive/web/sip-clf/current/maillist.html Description of Working Group: The SIP Common Log Format (SIPCLF) working group is chartered to define a standard logging format for systems processing SIP messages. Well-known web servers such as Apache and web proxies like Squid support event logging using a common log format. The logs produced using these de-facto standard formats are invaluable to system administrators for trouble-shooting a server and tool writers to craft tools that mine the log files to produce reports and trends and to search for a certain message or messages, a transaction or a related set of transactions. Furthermore, these log records can also be used to train anomaly detection systems and feed events into a security event management system. The Session Initiation Protocol does not have a common log format. Diverse elements provide distinct log formats making it complex to produce tools to analyze them. The SIPCLF working group will produce a format suitable for logging from any SIP element. The working group will take into account * the need to search, merge, and summarize the log records from one or more possibly diverse elements. * the need to correlate messages from multiple elements related to a given request (that may fork) or a given dialog. The format will take SIP's extensibility into consideration, providing a way to represent SIP message components that are defined in the future. The format will anticipate being used both for off-line analysis and on-line real-time processing applications. The working group will consider the need for efficient creation of records and the need for efficient processing of the records. The working group will identify the fields to appear in a log record and provide one or more formats for encoding those fields. The working group is not pre-constrained to producing either a bit-field oriented or text-oriented format, and may choose to provide both. If the group chooses to specify both, it must be possible to mechanically translate between the formats without loss of information. Specifying the mechanics of exchanging, transporting, and storing SIP Common Log Format records is explicitly out of scope. However, the working group will document as part of the definition of the log record format: * operational guidance considering log file management addressing size, rollover, aggregation and filtering. * guidance for correlating SIP CLF records with events reported via other log mechanisms such as syslog or SNMP notifications. * security guidance for storage, access, and transporting SIP CLF log records, addressing information privacy The group will generate: - A problem statement enunciating the motivation, and use cases for a SIP Common Log Format. This analysis will identify the required minimal information that must appear in any record. - A specification of the SIP Common Log Format record Goals and Milestones: Dec 2009 Problem statement, motivation, and use cases WGLC Jan 2010 Problem statement, motivation, and use cases to IESG (Informational) Mar 2010 SIP Common Log Format specification WGLC Apr 2010 SIP Common Log Format specification to IESG (PS) Internet-Drafts: No Current Internet-Drafts. Request For Comments: None to date.