On his blog, Anton started an entry about logging and gets into the topic of too many logs. I was suggesting visualization to analyze the vast amounts of logs in order to get a better handle/understanding of them. Anton countered with this:
Is this really the place to start a visualization fight? :-)
You know what my issue with visualization are:
- tools need really skilled analysts
- often the resulting picture is no more insightful than the original
log pile
- I kinda prefer an analytic system which is smart to a visualization
system which is... not so smart.
Let's move this discussion to secviz :-)
Here ya go. To answer Anton's objections:
You need skilled analysts to read log file in the first place! So no excuse. I would even argue that visualization makes it easier on the analyst! I agree that we need better tools nevertheless!
I agree, _sometimes_ the pictures are not more insightful. But in general they are. I think what is missing are good guidelines on what graphs help with what situations. I am working on that.
Visualization has the benefit that it not only helps you answer questions that you have, but it elicits questions that you did not even think of before. So for some things you can come up with algorithms to solve your problems, but for others, you don't even know your problem upfront!
I am curious to hear what others think.
