It definitely sounds like a religious war starting. There's the XML can fix it all folks and the defined format works for me folks. To the XML folks, here's the possibilities for each piece of information: Options for a timestamp: <timestamp>0123456789</timestamp> <ts>0123456789</ts> timestamp=0123456789 ts=0123456789 To the defined format works folks: Options for a timestamp: 0123456789 The difference is that for the human or the computer, you define/program the entity to understand that a timestamp is the value between the <timestamp> or <ts> tags or after the timestamp= or ts= tags for XML folks or is the value between location x and x+10 for event Y for the defined format folks. Either way a parser is involved and either way humans and computers can "understand" the value of 'timestamp'. Just as most people and newer software knows what this :) means. I believe what it comes down to is how much resources are we willing to use for the perceived value that is returned. The XML folks perceive the value of encapsulating data is worth the additional resources used to capture the same information. Personally, I still truly believe that simple is best and smaller is better. This has typically proved to be true in the security domain of which I am employed. This has typically also been true for the Internet in general such as SMTP vs. X.400, LDAP vs. X.500, TCP/IP vs. OSI, etc. This isn't to say that those other solutions weren't more elegant and couldn't handle more possibilities, but they weren't as simple to implement. As this probably won't settle anything, the only solution seems to be to create two competing IETF drafts and see who wins. Ron Ogle Rennes, France > -----Original Message----- > From: Bennett Todd [mailto:betat_private] > Sent: Thursday, August 22, 2002 11:02 PM > To: Chris Adams > Cc: loganalysisat_private > Subject: Re: Re[2]: [logs] Logging: World Domination > > .. > We can express the semantics that we need with a record that's a > linear list of whitespace-separated tokens on a single text line, > with some fixed fields aways required, followed by heirarchically > assigned tokens, first one defining a category ("OS"; "Firewall"; > "DB"; "Webserver"; ...); then a separate list of tokens for each of > those categories; the remainder of the record with format defined > appropriately for each of those; and so forth. > > Or we could express the same thing with XML, to buy ourselves some > buzzword compliance at the expense of a preposterously more complex > (==inefficient, nonportable, bugridden, security-problem-inducing) > parser for a class of complex structured languages. If we want to > sabotage this project, XML would be a fine step. > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 10:27:08 PDT