RE: [logs] Syslog payload format

• Previous message: Bennett Todd: "Re: [logs] Syslog payload format"
• Next in thread: Kyle R. Hofmann: "Re: [logs] Syslog payload format"
• Next in thread: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Reply: Kyle R. Hofmann: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rainer,

As far as the idea of getting an internet-draft together is concerned, I
think that standardisation of the payload content is sorely needed and would
be happy to contribute to such a thing.

However I've been thinking about this a bit more, and as a previous poster
commented the payload format is just syntax. The syntax is obviously needed
and does matter, but it's not really the first thing to consider, the
content is.

What is needed in the first place is pretty simple, it's an API that
includes at least this:

   log(event);

Where 'event' is an event object, or something like a 'struct' if you're a
'C' programmer.

So the first question is what does an event consist of? Things like
generation time, event id, priority, source, human readable message,
forwarding trail, maybe some application-specific payload, what else? It's
easy to come up with a long shopping list, but what are the basics that
people could agree on, and which are optional and which are mandatory?

Once you know the content of the object/struct, you can then worry about
getting it from A to B, and safely tucked into some log or other.

In fact the format that goes on the wire is going to be a fairly mechanical
serialization of the event object. The serialization format could be any of
a number of well-known options, and the details don't really matter much as
long it meets basic criteria such as (a) flexible/fixable, (b) easy/quick
for clients to emit, (c) somewhat human-readable, (d) easily/quickly parsed,
(e) reasonably efficient in space terms, or at least compressible.

[As an aside, anything you come up with will likely have an obvious XML
equivalent, but that doesn't mean XML needs to be the on-the-wire format
(although that or an XML subset is an obvious choice to consider).]

The protocol itself is basically a remoting of the log() call. Again,
various options for that, including RFC3195.

Indeed if you had something like Java RMI, CORBA or SOAP at your disposal
(not that I am suggesting any of these as the way to do it), there'd be
nothing at all to do but define the API & crank the handle to make it
remotely accessible.

Cheers,
Frank

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Previous message: Bennett Todd: "Re: [logs] Syslog payload format"
• Next in thread: Kyle R. Hofmann: "Re: [logs] Syslog payload format"
• Next in thread: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Reply: Kyle R. Hofmann: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:16:45 PST