Re: [logs] Syslog payload format

• Previous message: Moyer, Shawn: "RE: [logs] Tamper Proof Logging"
• Next in thread: Marcus J. Ranum: "Re: [logs] Syslog payload format"
• Next in thread: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >   idsa_set(c,"debug","syslog",0,IDSA_R_NONE,IDSA_R_NONE,IDSA_R_NONE,
> >   "event",IDSA_T_STRING,"marcus login","from",IDSA_T_HOST,where,NULL);
> > 
> > which is about as compact as it gets without losing structure information.
> 
> That's mamothly complex!

Shucks, is is really that bad ? Maybe some whitespace would help

  idsa_set(c,"debug","syslog",0,IDSA_R_NONE,IDSA_R_NONE,IDSA_R_NONE,
             "event",IDSA_T_STRING,"marcus login",
             "from" ,IDSA_T_HOST,   where,
              NULL);

Ignore the first line, it contains the stuff which is mandatory
and includes three risk values. Following that each line is 
just a label,type,value terminated by a NULL.

> My thinking (to date) has been along the lines of doing something
> like is done with writev() - ie.
> 
> initlogging(name,options);
> logitems[0].type = STRING;
> logitems[0].value = "marcus login: from";
> logitems[1].type = HOSTNAME;
> logitems[1].value = where;
> addlogmessage(logtype,priority,logitems,2);

Hmm. I presume you want to associate a label/key with each of the
items, or am I misreading this ? Also you may have to pass a handle
between init* and add*, otherwise you require that the user do locking
in a multithreaded program (hey, I think MT is bad and the MT support
of my implementation consists of each thread having to allocate its 
own connection handle ;)

> It also has scope for holding more complex information
> for logging and that may be something that comes through in the XML
> which isn't possible with the above.
> e.g.
> 
> char *fruit[5] = {"a", "b", c", "d", "e"};
> logitems[0].type = STRINGARRAY;
> logitems[0].count = 5;
> logitems[0].value = fruit;

Fair enough. Actually the variadic approach is also awkward when
one does not know the exact number of logitems at compile time. 
In that case idsa can fall back on something which resembles your 
approach. Using mjr's logging-data-map as example scheme:

  /* get event handle */
  evt = idsa_event(c); 

  /* fill in required stuff */
  idsa_name(evt, "login");
  idsa_scheme(evt, "logging-data-map");
  idsa_risks(evt, 0, IDSA_R_PARTIAL, IDSA_R_UNKNOWN, IDSA_R_PARTIAL);

  /* add extra fields */
  idsa_add_set(evt, "srcuser", IDSA_T_STRING, "marcus");
  idsa_add_set(evt, "srcdev", IDSA_T_HOST, where);

  /* log and invalidate evt */
  idsa_log(c, evt);
                                
But usually the long form is not needed, and IMHO also a bit 
too demanding - so if it is the only option, the risk 
exists that programmers will ignore logging entirely or
stick with the old.

regards

marc
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Darren Reed: "Re: [logs] Syslog payload format"
• Previous message: Moyer, Shawn: "RE: [logs] Tamper Proof Logging"
• Next in thread: Marcus J. Ranum: "Re: [logs] Syslog payload format"
• Next in thread: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:22:27 PST