Re: [logs] Syslog payload format

• Previous message: Bennet S. Yee: "Re: [logs] Year value in timestamps"
• In reply to: Darren Reed: "Re: [logs] Syslog payload format"
• Next in thread: Darren Reed: "Re: [logs] Syslog payload format"
• Next in thread: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Reply: Darren Reed: "Re: [logs] Syslog payload format"
• Reply: Marcus J. Ranum: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Dec 22, 2002 at 03:10:37PM +1100, Darren Reed wrote:
> In some mail from Balazs Scheidler, sie said:
> > 
> > xnewsyslog(LOG_DAEMON|LOG_DEBUG, "debug: %(user) %(tty) from %(host)",
> > 	   "marcus", tty, where);
> [...]
> > That is, a constant event description comes first without _any_ variable
> > data, semicolon and a list of tag/value pairs. This makes the message easy
> > to read by humans (the description itself is not a tag), and the event is
> > still easily parseable. So the above xnewsyslog() call would become
> > something like this:
> > 
> > xnewsyslog(LOG_DAEMON | LOG_INFO, "User logged in; %(user), %(tty), %(host)",
> > 	"marcus", tty, where);
> 
> I just realised there's a "problem" with both of these messages, and
> this API if something like XML is going to be used.
> 
> The problem is these formats suggest that a message is going to be
> logged in a manner that is similar to the formatting string and it
> is not.
> 
> The above message would be logged, at best, like:
> 
> <event user="marcus" tty="ttyp6" host="ranum.com">User logged in; , ,</event>

no, it would be logged as:

<event user="marcus" tty="ttyp6" host="ranum.com">User logged in</event>

which could be represented in a non-XML format for human processing. The
problem with difficult APIs that they will simply be ignored by programmers.
If the API is simple enough, the benefits it provides will overweigh the
lazyness of programmers.

So my suggestion is this:
1) provide a clean API for sending tagged messages
2) provide a not-so-clean but easier to use interface based on the first

my xnewsyslog() proposal is the 2nd case. It is quite easy to use from the
programmer's viewpoint and still makes it possible to tag message parts.

> User logged in; user="marcus", tty="ttyp6", host=ranum.com
> 
> But that's not XML.

It's a non-XML representation of an event, it is easier to read (for humans)
and easier to produce (for programmers). It can be transformed to be XML
easily.

Logging an event should not take more than a single function call,
otherwise it will be too difficult to use.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Darren Reed: "Re: [logs] Syslog payload format"
• Previous message: Bennet S. Yee: "Re: [logs] Year value in timestamps"
• In reply to: Darren Reed: "Re: [logs] Syslog payload format"
• Next in thread: Darren Reed: "Re: [logs] Syslog payload format"
• Next in thread: Frank O'Dwyer: "RE: [logs] Syslog payload format"
• Reply: Darren Reed: "Re: [logs] Syslog payload format"
• Reply: Marcus J. Ranum: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 09:47:03 PST