This is a commonly reinvented wheel, and the version Stefan (metze) Metzmacher suggested in samba-technical is the round one (;-))
A maximally useful log message contains a number of fixed items, usually in a fixed-format header of some sort, and text for the human reader to use to understand the implications of the problem.
From memory, the fixed information includes enough to allow for mechanical sorting by nastiness and occasionally mechanical processing:
- date/time
- origin, meaning machine- or domain-name
- source, in some detail,, including the executable name and process id as a minimum, if applicable, and optionally the file, function and line, it is good to make this one token, for ease of parsing and resilience when one line has "sendmail:parse.c:parse_it:332:1948" and another has only "mconnect:1293"
- pre-classification, meaning the application type, error type and severity. DFAs can switch on this, and should.
The old ARPA format was error type source and severity as three decimal digits, which you still see when smtp says "250 ok". The 2 was permanent success, the 5 meant "the app", in this case smtp, and 0 was the severity. I prefer ascii, not numbers (;-))
- then the text for the human, saying the meaning of the error, the same way you're supposed to write the **meaning** of code in comments, not just say what the code does.
Syslog does about half of this, metze's did most of it.
