Re: [logs] Re: Generic Log Message Parsing Tool

From: Marcus J. Ranum (mjrat_private)
Date: Wed Jun 05 2002 - 12:47:08 PDT

Next message: Tom Perrine: "Re: [logs] Re: Generic Log Message Parsing Tool"

Previous message: Marcus J. Ranum: "Re: [logs] Re: Generic Log Message Parsing Tool"
In reply to: Sweth Chandramouli: "Re: [logs] Re: Generic Log Message Parsing Tool"
Next in thread: Nick Vargish: "Re: [logs] Re: Generic Log Message Parsing Tool"
Next in thread: Tom Perrine: "Re: [logs] Re: Generic Log Message Parsing Tool"
Next in thread: Dale.Drewat_private: "RE: [logs] Re: Generic Log Message Parsing Tool"
Reply: Nick Vargish: "Re: [logs] Re: Generic Log Message Parsing Tool"
Reply: Sweth Chandramouli: "Re: [logs] Re: Generic Log Message Parsing Tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sweth Chandramouli wrote:
>        -- Sweth, whose gut response to XML suggestions is similar
>to mjr's response to regex suggestions, because he's seen too many
>people assume that XML==portable data when the real portability comes
>from a well-defined data structure that the XML document can then
>describe.

<LOL>

My response to those who've drunken the XML cool-ade is similar
but for different reasons. :) Let's consider the irony of using
XML for the output of a parsing operation...  Here we spend all
this pain and agony to parse log data into meaningful subcomponents
based on a grammar. That's a lot of work. So we take the results
and write them out in XML. Before we do that, we have to write
what amounts to another grammar! And then we have to write a parser
for THAT grammar! :)  Using XML in this context is a great idea
because it lets us write another parser and another grammar in our
copious free time! :)    Uuuuhhh... I am still trying to see the
point of using XML for _anything_  ;)

I think we can agree that parsing log data into some kind of
predictable data dictionary - with regular field names and
so forth - has value. That's a really hard problem and a lot of
folks _think_ that's what XML solves, but really all XML does
is standardize a tagging layout. *yawn* There's no difference
between:

<record>
<month>12</month>
<day>05</day>
<host>whumpus.ranum.com</host>
...etc...
</record>

and

beginrec
month=12
day=05
host=whumpus.ranum.com
...
endrec

except it's a lot easier to handle
attribute=value
strings because anything from the first '=' over is inherently
quoted. If you get into multiline strings then you may need a bit
of extra syntax, but no biggie. The bottom line is that it's very
easy to convert data - once it's been converted into something
that means the same thing in a data dictionary - regardless of
the specific mark-up.

(FYI - "Fargo" used a light-weight XML-like markup so don't
assume I have religious objections to XML. ;)

mjr.
---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjrat_private

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Tom Perrine: "Re: [logs] Re: Generic Log Message Parsing Tool"
Previous message: Marcus J. Ranum: "Re: [logs] Re: Generic Log Message Parsing Tool"
In reply to: Sweth Chandramouli: "Re: [logs] Re: Generic Log Message Parsing Tool"
Next in thread: Nick Vargish: "Re: [logs] Re: Generic Log Message Parsing Tool"
Next in thread: Tom Perrine: "Re: [logs] Re: Generic Log Message Parsing Tool"
Next in thread: Dale.Drewat_private: "RE: [logs] Re: Generic Log Message Parsing Tool"
Reply: Nick Vargish: "Re: [logs] Re: Generic Log Message Parsing Tool"
Reply: Sweth Chandramouli: "Re: [logs] Re: Generic Log Message Parsing Tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 13:21:20 PDT