Thread: More data, more tools or more answers?

One of my conversations was commented on by Dr Anton Chuvakin. I had replied to him in his comments, but unfortunately he keeps reposting the article to new services without bothering to address the reply, so I am putting it here as a central reference.

Basically, Anton (if I may call him this) thinks that the universe of choices around log file discussion is not just

  1. More data

  2. Better formatted data

  3. More tools to mangle the data

But must also: include

  1. More answers to their issues-of-the-moment

He favours the last point much stronger than others and says:

Thus, I think the focus should be on more intelligence and giving answers, not tools.

I happen to think that while his 4th point is great, it is not a concrete, actionable step forward and therefore does not really help the discussion.

Specifically (from my original comment):

…The whole point of tech support is that the answer is not easy to find. Certainly on the 2nd/3rd level of support it is so.

Therefore, what you instead get is a lot of data that _probably_ can lead one to the answer. Unfortunately, if the data is not coherent (parsable, timestamped, thread-stampted, etc), it is next to impossible to find the answer even if one is known to exist.

One of the real examples I had was trying to prove that a particular access did _not_ happen based on 2 Gigabytes of badly formatted, mismatched log files. I have managed to do that but only because I wrote some tools for the task. And even with the tools, it was still up to me to interpret the results correctly and explain them to the customer.

In summary, your fourth point is a goal, while first 3 are possible ways of getting there. Just asking for that ‘give answers’ solution is like looking for silver bullet.

I would love Anton to comment on this specifically. Maybe he can give a concrete support to his point, as I did before for the point 2).

BlogicBlogger Over and Out