RE: [logs] Syslog payload format

From: Frank O'Dwyer (fodat_private)
Date: Fri Dec 20 2002 - 07:06:56 PST

  • Next message: Rainer Gerhards: "RE: [logs] Syslog payload format"

    Rainer Gerhards wrote:
    > > (1) You can be sure that application programmers are going to
    > > do both of the following types of calls:
    > >
    > >        eventlog_addvalue(EVENTLOG_TEXT, "memory remaining < 10M!");
    > > 	 eventlog_addvalue(EVENTLOG_TRADESUMMARY,
    > > "<trade><stock>MSFT</stock><blah>blah</blah></trade>");
    >
    > This raises the question if we _really_ want to support nested XML... Do
    > we?
    
    It's not necessary for mjr's proposal. The other kind of tag/value format
    suggested is basically the same but would remove the nesting:
    
       host="foo.bar.com" prog="trader" pid="100"
    tradesummary="<trade><stock>...etc"
    
    which, by the way, can also be expressed in pseudo-XML as:
    
       <entry host="foo.bar.com" prog="trader" etc... />
    
    (Interestingly this is very close to the 'COOKED' format of RFC3195, and is
    essentially an open-ended and DTD-less version of the same thing)
    
    Either of those also works for XML-heads since they can run a program or
    even an XSL stylesheet over either, and easily get any desired XML format
    (including a bizarre nested one if that is what some processor is
    expecting). The reverse translation also works. Doesn't really matter. The
    key point is that the structure & default info is there, and that it can
    also handle whatever the app programmer throws at it.
    
    Cheers,
    Frank
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 20:06:26 PST