dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
4
bt
join:2009-02-26
canada

1 edit

bt to globus9991

Member

to globus9991

Re: Why is Tek still keeping logs???

said by globus9991:

Then, how did the Swedish ISPs do it?

Differently. That they have been successful with such methods just means that it's a valid method, it doesn't mean it's the only method. And if it's better or worse is a matter of opinion.
said by globus9991:

As to a customer not getting its issue fixed overnight, don't get me laughing!!!

Didn't say that.
said by globus9991:

Did you actually worked for IT???

Yes. For (gasp) an ISP! And (gasp) not as a phone drone!
said by globus9991:

I can pretty much guarantee that NOTHING gets solved overnight. Furthermore, it is much more time efficient to turn logging on for a specific customer when a complaint is received than to spend countless hours wading through logs. Real-time or near-real-time is the way to go.

Again, never said anything about an issue being solved right away, or overnight, because of the existence of logging.
globus9991
join:2004-11-14
Argelia

globus9991

Member

said by bt:

said by globus9991:

Then, how did the Swedish ISPs do it?

Differently. That they have been successful with such methods just means that it's a valid method, it doesn't mean it's the only method. And if it's better or worse is a matter of opinion.

Well, I worked with both methods and I can tell you from experience that what you want is a near instantaneous alarm when things go wrong (or appear to go wrong) than find out a few days after the fact when the damage is done and have to wad through a few Gigs worth of logs. Yes, heuristic, near-real-time software is better. It is adaptable and/or rule-based. It can look for new forms of abuse or detect subtleties. You can see, in real-time what's going on. Those are all things that logs can't do. Yes. it is a superior method.
said by bt:

said by globus9991:

Did you actually worked for IT???

Yes. For (gasp) an ISP! And (gasp) not as a phone drone!

Well.. my office had a phone (IP based, of course) but I didn't use it that much. Spent most of the time with hardware / software. Besides, the drone part was mainly outsourced, so I wouldn't know.
said by bt:

said by globus9991:

I can pretty much guarantee that NOTHING gets solved overnight. Furthermore, it is much more time efficient to turn logging on for a specific customer when a complaint is received than to spend countless hours wading through logs. Real-time or near-real-time is the way to go.

Again, never said anything about an issue being solved right away, or overnight, because of the existence of logging.

No, but you implied that by having logs things would get solved faster. On average, they do not.
bt
join:2009-02-26
canada

bt

Member

said by globus9991:

said by bt:

said by globus9991:

Then, how did the Swedish ISPs do it?

Differently. That they have been successful with such methods just means that it's a valid method, it doesn't mean it's the only method. And if it's better or worse is a matter of opinion.

Well, I worked with both methods and I can tell you from experience that what you want is a near instantaneous alarm when things go wrong (or appear to go wrong) than find out a few days after the fact when the damage is done and have to wad through a few Gigs worth of logs.

Oh, I agree on that. But I've seen many situations where you need to wade through logs to find out what the cause of the problem is. You can do that a lot sooner if the logs already exist.

Real-time is better for spotting problems. Logs are better for spotting causes.
said by globus9991:

Yes, heuristic, near-real-time software is better. It is adaptable and/or rule-based. It can look for new forms of abuse or detect subtleties. You can see, in real-time what's going on. Those are all things that logs can't do. Yes. it is a superior method.

And real-time can't give you a history to back-track through when necessary. The superior method for troubleshooting (so not getting into cost analysis, legal issues, etc, which bring further pros and cons to each method) is a combination of both real-time and logging.
globus9991
join:2004-11-14
Argelia

globus9991

Member

said by bt:

Oh, I agree on that. But I've seen many situations where you need to wade through logs to find out what the cause of the problem is. You can do that a lot sooner if the logs already exist.

Real-time is better for spotting problems. Logs are better for spotting causes.

Yes, but with a properly configured real-time software, it starts logging when the issue is first detected. And, it intelligently logs only relevant packets. For any intent and purposes, you are loosing almost no important information to determine causality.
said by bt:

And real-time can't give you a history to back-track through when necessary. The superior method for troubleshooting (so not getting into cost analysis, legal issues, etc, which bring further pros and cons to each method) is a combination of both real-time and logging.

Not in my experience. Widespread logs area always a headache. They do suffer as you said, from, cost analysis, troubleshooting, legal, storage, backup and a myriad of other issues.

When I am looking at a log, I want the min info that will be useful, and just the timeframe that is useful. Everything else is just a pain in the neck and not worth my time.

Real-time is the way to go. That's how most *modern* data-centers do it.
bt
join:2009-02-26
canada

bt

Member

said by globus9991:

Yes, but with a properly configured real-time software, it starts logging when the issue is first detected. And, it intelligently logs only relevant packets. For any intent and purposes, you are loosing almost no important information to determine causality.

Even properly configured, it can miss out on earlier stages that a human eye might spot (with the benefit of hindsight).

It's only as good as the person who programmed it, and only knows what that person thought of making it know.
said by globus9991:

said by bt:

And real-time can't give you a history to back-track through when necessary. The superior method for troubleshooting (so not getting into cost analysis, legal issues, etc, which bring further pros and cons to each method) is a combination of both real-time and logging.

Not in my experience. Widespread logs area always a headache. They do suffer as you said, from, cost analysis, troubleshooting, legal, storage, backup and a myriad of other issues.

Real-time also suffers from cost analysis, troubleshooting, etc. Not all of the issues are the same, but there are just as many of them.
said by globus9991:

When I am looking at a log, I want the min info that will be useful, and just the timeframe that is useful. Everything else is just a pain in the neck and not worth my time.

Basic log viewing software can help with that. I'm not saying you should be popping the log open in notepad and going through it line by line...
globus9991
join:2004-11-14
Argelia

globus9991

Member

said by bt:

said by globus9991:

Yes, but with a properly configured real-time software, it starts logging when the issue is first detected. And, it intelligently logs only relevant packets. For any intent and purposes, you are loosing almost no important information to determine causality.

Even properly configured, it can miss out on earlier stages that a human eye might spot (with the benefit of hindsight).

It's only as good as the person who programmed it, and only knows what that person thought of making it know.

Earlier stages are overrated. In real life there is very little difference if you catched the first 50 or so packets or not, considering that you got the other 10.000 or so. That's my experience.
said by bt:

said by globus9991:

said by bt:

And real-time can't give you a history to back-track through when necessary. The superior method for troubleshooting (so not getting into cost analysis, legal issues, etc, which bring further pros and cons to each method) is a combination of both real-time and logging.

Not in my experience. Widespread logs area always a headache. They do suffer as you said, from, cost analysis, troubleshooting, legal, storage, backup and a myriad of other issues.

Real-time also suffers from cost analysis, troubleshooting, etc. Not all of the issues are the same, but there are just as many of them.

Again, not in my experience, not to that degree. Sure, you still need human interaction to actually decode and give significance to what's happening, but with an intelligent system you get a head's up about possible causes instantaneously. Let's say that somebody is abusing port 25. You will know instantly by the packet analysis of the software that somebody is probably spamming. By log alone, well, it can take a while to figure out the pattern.
said by bt:

said by globus9991:

When I am looking at a log, I want the min info that will be useful, and just the timeframe that is useful. Everything else is just a pain in the neck and not worth my time.

Basic log viewing software can help with that. I'm not saying you should be popping the log open in notepad and going through it line by line...

Obviously, but even the fanciest log analyzers are just sophisticated filters. They are not good at pattern recognition. Heuristic software is. Heck! it can even detect patterns based on how normal packets are affected by abusing packets! It can do statistical analysis far beyond what a simple log analyzer can do.