Here is a fun one (don't half of my posts start from this phrase... :-))
This post discusses what do IT people need: more data, better data or what?
BlogicBlog: View from the trenches: Quoted, but misunderstood: What's Missing from Production System Troubleshooting: "I do not ask for more data, I ask that the data format currently being used is reviewed to see whether it is actually useful for troubleshooting/monitoring and that concerned effort is made to change the format where it proves not to be useful.I do not ask for more data, I ask that the data format currently being used is reviewed to see whether it is actually useful for troubleshooting/monitoring and that concerned effort is made to change the format where it proves not to be useful."
Let's do a bit of analysis and thinking on this one. What do they need - just pick one:
1. More data
2. Better formatted data
3. More tools to mangle the data
4. More answers to their issues-of-the-moment
Now, please show me a person that would not pick #4 :-)
Thus, I think the focus should be on more intelligence and giving answers, not tools (or, tools that give answers! :-)) Better formatted data is certainly useful and will facilitate the quest for answers...
3 comments:
Anton,
I am glad you found my article interesting and yes the answer to the problem is a final goal.
However, the whole point of tech support is that the answer is not easy to find. Certainly on the 2nd/3rd level of support it is so.
Therefore, what you instead get is a lot of data that _probably_ can lead one to the answer. Unfortunately, if the data is not coherent (parsable, timestamped, thread-stampted, etc), it is next to impossible to find the answer even if one is known to exist.
One of the real examples I had was trying to prove that a particular access did _not_ happen based on 2 Gigabytes of badly formatted, mismatched log files. I have managed to do that but only because I wrote some tools for the task. And even with the tools, it was still up to me to interpret the results correctly and explain them to the customer.
In summary, your fourth point is a goal, while first 3 are possible ways of getting there. Just asking for that 'give answers' solution is like looking for silver bullet.
I fully agree. More data isn't the answer...understanding the data we do have, and being able to see what it tells us is much more important.
Unfortunately, a great many native tools don't give us this information. The Windows Task Manager doesn't give the command line used to launch a process...one has to find a third-party tool, or download the Debugging Tools to get tlist.exe.
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
Windows is quite appalling in terms of troubleshooting tools it supplies. On all of my machines, I install the tools from www.sysinternals.com . Of course, they just changed their license to the worse for the free tools, so we will see what happens next.
Post a Comment