Re: [logs] Secure Central Log Host

• Previous message: Marcus J. Ranum: "Re: [logs] Secure Central Log Host"
• In reply to: Marcus J. Ranum: "Re: [logs] Secure Central Log Host"
• Next in thread: Jason Royes: "Re: [logs] Secure Central Log Host"
• Reply: Jason Royes: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2002-12-03 at 09:37, Marcus J. Ranum wrote:
> Jason Royes wrote:
> >Databases (w/ good schema) excel when complex
> >analysis is required.
> 
> Databases also require index inserts, support for transaction
> rollback, and all kinda crazy stuff that makes them completely
> unsuitable as logging systems. We (the collective unconscious "we")
> keep using them, though, because they're available and can be
> made to suit the purpose by throwing a bunch of hardware at the
> problem - which is cheaper, really, than understanding the problem

There's also the convenience of having programming interfaces to them in
your other tools of choice, like PHP, Perl, etc.
(also read below)

> lot of simplifying assumptions you can make about logs:
>         - they are inserted in event-sequence
>         - they are approximately clustered by time
>         - you seldom (if ever) will need to seek back 20 minutes
>                 and delete a single log record
>         - the fields you'll want to search on are either bounded
>                 fairly tightly (priority, source, time) or are
>                 free-form (regexp or string fragment) - so you'll
>                 either want a very compact primary index for
>                 the bounded values and a patricia tree or inverted
>                 index for the strings

I like your analysis, and in fact it's pretty close to my own
conclusions a while ago. But then, when deciding which tools i was going
to use to implement a logging DB, guess what? It was the convenience of
having an SQL programming interface in PHP that won the battle. :-)

Now, sure, if you can afford the resources, coming up with your own
thing is the best way. I guess that's not far from what Addamark did
(although on a completely different scale).

> mjr. ("once a database guy - always a database guy.")

Yeah. :-)

-- 
Florin Andrei

It's ok to use the names of your pets or children as passwords
as long as they contain several non-alphanumeric characters.

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tina Bird: "[logs] writing syslog parsers"
• Previous message: Marcus J. Ranum: "Re: [logs] Secure Central Log Host"
• In reply to: Marcus J. Ranum: "Re: [logs] Secure Central Log Host"
• Next in thread: Jason Royes: "Re: [logs] Secure Central Log Host"
• Reply: Jason Royes: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 20:40:36 PST