Rainer Gerhards wrote: >This raises the question if we _really_ want to support nested XML... Do >we? Personally, I don't think so. One of the values I put in the data/tag map Paul and I worked on was a "Reference" field. My _opinion_ is that log entries are more likely to form time-directional linked lists, rather than nested entries. Which is better? <REC> <TO>mjrat_private</TO> <TO>lanceat_private</TO> <TO>infoat_private</TO> </REC> or <REC> <RCPT><TO>mjrat_private</TO></RCPT> <RCPT><TO>lanceat_private</TO></RCPT> <RCPT<TO>infoat_private</TO></RCPT> </REC> Here's another theory: EVENT RECORDS MAY CONTAIN DUPLICATE OR MISSING TAGS i.e.: you need to be able to handle 15 <TO></TO> tags. after all, <UL> is just a silly overcomplex way of doing the same thing. Now, another example: <REC> <TO>mjrat_private</TO> <QUEUEID>A8123AAF</QUEUEID> </REC> <REC> <QUEUEID>A8123AAF</QUEUEID> <STATUS>stat=sent</STATUS> </REC> These can be forward-chained into a linked list by <QUEUEID> easily if desired. But to nest those, your logging system would have had to maintain the first event record until the second happened. Which might NEVER happen. I believe that the only way to chain events reasonably is in post-processing, which means that nested tags are less useful but duplicated tags are useful. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjrat_private _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:36:40 PST