On 2014-09-04 01:53, Anton Aylward wrote:
On 09/03/2014 07:24 PM, Carlos E. R. wrote:
On 2014-09-04 00:46, pinguin74 wrote:
The timestamp is 1409728889.981
$ date --date="@1409728889.981" Wed Sep 3 09:21:29 CEST 2014
Is this their goal, to make reading the log file as hard as possible?
Because it is faster for reading it by software, I'd guess.
In particular if you are sticking those fields into some sort of database and indexing on the 'timestamp'.
I realise that sophisticated databases can index date fields but they do so by converting the YY/MM/DD:HH:NN:SS,ss into a an integer and converting it back on display. So why not start with the integer?
Well, a database can be processed "offline", or delayed, so processing time is not that crucial. But logs have to be written fast. Not formatting a field makes it just a bit faster, and also a bit faster to read (and understand) by another process, if needed. But syslog not always writes to a plain text file, it can write to binary databases as well. These take more processing to create, so optimizing starts to become important... After all, you record some type of longint, not a text string. Way, way faster.
In a corporate setting syslog or whatever can be throwing a lot of records and the delay of having to do that conversion before stuffing the record in the database will slow things down.
Yep. :-)
Why database? There are tools that can do interesting things in a corporate setting like look for a penetration coming in though firewall, switch host application. All very automated. Most of us just look at the syslog files of a single machine as in "why is that application misbehaving", but there is a whole business of detecting attacks.
I mean, after all, this is apparmor we are talking about here, not vanilla syslog, so it *is* about attacks.
And, when apparmour starts logging a , it slows down the processes it is watching, I believe. The processes can not go ahead faster than those events are written, they have to wait - so everything crawls. Thus writing those events fast is important. This is a guess, I haven't verified it, but an educated guess. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)