Action Items

• Chas will talk to folks at Penn State running first Shib production shop the next time he is in PA at end of July.
• Matt and Chas will arrange a meeting if possible.
• Russ and Matt arrange call with Abilene operators about logging events.

Pilot Progress

Chas updated us on the progress of the pilot which kicked off in May and had a second meeting June 25. There are currently two developers, Ryan Muldoon and Jim Gargani, working on this. The pilot now has code name of CCB.

There were two candidates to be considered for the pilot: NetLogger and AirCert. After consideration neither will be used. The reasons for not using the tools are listed below.

Reasons Not to use NetLogger

• Logging requires calling NetLogger API, design doesn't work with event files and streams as-is.
• No built-in filtering or aggregating capabilities.
• Unable to percolate logging data upstream, log to file (text & binary) or database, but no ability to combine between servers.
Design is performance & not diagnostics focused.
• Bottom line is that NetLogger won't buy us much, fairly simple system for generating, collecting and analyzing performance data from applications.

Reasons Not to Use AirCERT

• Complexity of configuration & deployment. (took experts couple days)
• Requires use of old software.-Only works with Apache 1.3.x.
• Would be very difficult to deploy on Windows, lots of Linux software required as dependencies.
• Snort-centric design requires extensive changes for ccBay architecture.
• Scarce documentation & support, hard for their support to get back to us or support this.
• Not widely deployed or tested.
• Currently used for security based events, an intrusion system fed by Snort

Chas described how they picked the best pieces and tools for the CCB Design working towards the event record. The plan is to put all event data into XML format with the ability to return it to its raw state. There are a number of tools out there now that work with raw data and we'll need to work with them.

Technical details of this process include:

• XSLT transformations of events to one of four XML schemas (rex/tabula replacement). Which will be able to filter & aggregate at this stage. Also style sheets will be needed for each event log file or stream.
• SCP (or SOAP) to transfer XML files securely to collection server (dredge replacement).
• XSLT transformations of XML files to one of four database (MySQL) schemas (mod_air replacement). It will be able to filter & aggregate at this stage. Will use XSLT transformations & SCP to move data upstream.
• Analysis tools will be built on top of database queries. There will be both command line interface (CLI) and graphical user interface (GUI).

Next steps for the pilot are to:

• Roll our own solution using what we learned from NetLogger and AirCERT evaluation.
• Focus on a simple and extensible lightweight design.
• Utilize existing libraries, utilities, modules and standards instead of existing systems. This will be a custom approach with commonly used building blocks. We will use Python as a full-featured and robust development language because Python gives us everything we need development-wise: it's fast, widely used, and will run like the winD

The next meeting with the developers will be at the end of July. Chas said he will be gone much of July but will be in contact via email. He detailed the plan of work each developer will be doing over the next month. Ryan will integrate 5 event schemas into common a DTD format, derive/define database schema from DTD schemas, design/code basic Python XSLT transformations (collectors and normalizers), and prepare some simple SQL queries against the collector database. Jim will design/document Host/System event DTD schema, design/code basic Python XSLT transformations (normalizers), design/code basic scripts/utility to automate text file normalizers, and design/code basic scripts/utility to automate file copying with SCP (then go to SOAP interface). Following that will be to incorporate into this set simple categories from what was given from Shibboleth and networking.

Matt suggested that it would be useful to take a look at the GGF DTD schema for time stamps, network addresses, etc. Chas said that he had a good conversation with Eric Boyd about this topic. How there would be an analytical tool to watch the performance data for anomalies that would kick it into diagnostic tools. Russ agreed that the analytical tools are what is missing. All agreed that it will be important to leverage existing standards in this process.

Agenda for BoF at the Internet2 Fall Member Meeting

Chas said he's been sorting out what to do for the Internet2 Fall Member Meeting. He asked if there were any ideas of what to do. He has been thinking about reporting on the progress of the pilot and how to get more people involved with requirements gathering and next phase development of the tools.

Mark suggested that as a way of dissemination once through the pilot would be to integrate diagnostic tools into an application. Then use the BoF as a way to look for feedback. Matt agreed and said that it would be helpful to have a demonstration or at least screen shots to make the diagnostic tools more concrete for people. He said there should be invitations to this session directed at people from different working groups. Russ said it would help if the demo could be done in a way for the other folks to see how the diagnostic tools fit into their respective environments.

Other Topics

On a different topic Matt offered to meet with Chas either during travel to California or later in Pittsburgh. Chas said they could work out a time. [AI] Matt and Chas will arrange a meeting if possible.

Russ mentioned that on a recent Abilene planning call there was talk about trying to collect events from operations logs. He was going to be talking with the network operators more about this. There was more discussion about how this information could be applied to help identify events and then pursue anomalies to determine if they are legitimate or not. Russ and Matt will line up a call with the Abilene folks to further discuss this. [AI] Russ and Matt arrange call with Abilene operators about logging events.