Let us kick off the first round of discussion by enumerating the problems of
legacy log formats. Please share with the rest of us what you like and/or
hate about log formats you worked with.
WHAT I LIKE:
Logs in ASCII because they are viewable without special tools and because
they can be written out fast.
WHAT I HATE:
Single level of details. I open a web server log and you see zillions of
similar looking entries all with same kind of information. If something
wrong happens to a web server, I would like to see more detailed error
information when and where it happens in the access log.
Custom parsers. Most log formats are simple in structure yet wild in
variety so that custom parsers have to be written for each type of logs your
server generate.
Non-integrated views. When a server generates multiple log types (i.e.
access, error, etc.), each log types are written out into separate files.
This makes it difficult to analyze problems whose symtoms are spread out
over multiple files. When there are more than one process involved (i.e.
web server, application server, and database server), the task becomes
practically impossible. It would be nice to 'merge' log information from
multiple sources to get a view of the all the components working together.
Let me just stop here so that rest of you have something to write about <g>.
Regards,
Don Park