Re: [logs] Generic Log Message Parsing Tool

From: Russell Fulton (r.fultonat_private)
Date: Mon Jun 10 2002 - 19:03:03 PDT

Next message: Sweth Chandramouli: "Re: [logs] Generic Log Message Parsing Tool"

Previous message: Marcus J. Ranum: "Re: [logs] Generic Log Message Parsing Tool"
Maybe in reply to: Sweth Chandramouli: "[logs] Generic Log Message Parsing Tool"
Next in thread: Nick Vargish: "Re: [logs] Generic Log Message Parsing Tool"
Reply: Nick Vargish: "Re: [logs] Generic Log Message Parsing Tool"
Reply: Sweth Chandramouli: "Re: [logs] Generic Log Message Parsing Tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well it's been a fascinating discussion (thanks Marcus and Sweth et.al.)

I've kept my head down for most of the discussion because I could see
that others knew far more about the basic issues than I did.  Marcus was
quite right in his suggestion that I was attacking the problem at the
wrong level and that what was needed at the moment was to understand
just what the fundamental issues were. 

While looking at the books on my shelf this morning a thought occurred
to me:  Has anyone considered ICON http://www.cs.arizona.edu/icon/ as a
possible implementation language for a log parser?  Almost certainly
not!

ICON is the brainchild of Ralph Griswold (one of the authors of Snobol
-- yes, I'm showing my age, does anyone else remember Snobol?)  ICON is
a great langage for building parsers, it is interpretive and has
powerful string manipulation facilities built in.  It also has the
concept or goal evaluation and backtracking built into the language. 
There is a section of ["The ICON Programming Language" by Griswold and
Griswold; Prenice Hall; ISBN 0-13-447889-4] devoted to writing parsers
in the chapter on "strings and pattern matching".

ICON is free and available for both UNIX and Windows.

To me it seems a good choice, the language is more flexible than REs
although with the flexibility comes complexity and since you have
control over the backtracking you need to know what you are doing to use
it effectively.  But if there is one thing that has come out of this
discussion it is that whatever tools we us whoever does it is going to
need to deal with complex parsing issues.

The down side, of course is that it is relatively unknown and (so far as
I know) does not have a wide support base like perl, python etc.

Lastly I have passed the suggest to our Software Engineering School that
this would make a good project for a 4th year or a masters project.  One
of the lectures has said he would be happy to supervise it and it has
been added to the list of possible topics for next year. 

The recent discussions on this list will provide a very useful starting
point for a student who wants to persue this project.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Sweth Chandramouli: "Re: [logs] Generic Log Message Parsing Tool"
Previous message: Marcus J. Ranum: "Re: [logs] Generic Log Message Parsing Tool"
Maybe in reply to: Sweth Chandramouli: "[logs] Generic Log Message Parsing Tool"
Next in thread: Nick Vargish: "Re: [logs] Generic Log Message Parsing Tool"
Reply: Nick Vargish: "Re: [logs] Generic Log Message Parsing Tool"
Reply: Sweth Chandramouli: "Re: [logs] Generic Log Message Parsing Tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 19:13:03 PDT