On Wednesday, August 21, 2002, at 12:05 , Greg Black wrote: > | if you propose something like this and don't use XML, the first > question > | you're going to get will invariably be "why didn't you use XML?" > > To which a reasonable answer is: "because it sucks." Hyperbole is unlikely to prove very persuasive here. Not using XML means giving up everything from the existing parsers and language support to the XML support many databases are starting to have (given the value of a database for ad-hoc queries, I'm inclined to say that's worth a little bloat to get all of your logs into one). The two real complaints I see are both overhead - file size and processing time. The size issue becomes a lot less of a problem if you've designed your DTD properly (e.g. resisting the urge to be unnecessarily verbose - <event host="..." timestamp="1234567890"> instead of <event><ip_hostname>fqdn.example.com</ip_hostname><timestamp>Fri Feb 13 15:31:30 PST 2009</timestamp>) and are using compression. The processing time concern is more of a problem but XML parsers have advanced considerably over the last few years. A well designed DTD should be surprisingly close to something like the typical Perl script which has to parse all of the slightly different variations of the same syslog message. In both cases, neither would be a significant problem even now and Moore's law suggests this won't change for the worse. Chris _______________________________________________ LogAnalysis mailing list LogAnalysisat_private https://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 15:10:40 PDT