Re: [logs] Syslog payload format

• Previous message: tcleary2at_private: "Re: [logs] Syslog payload format"
• In reply to: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Next in thread: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Next in thread: Marcus J. Ranum: "Re: [logs] Syslog payload format"
• Reply: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In some mail from Balazs Scheidler, sie said:
> 
> Hi,
[...]
> By using the ';' as a separator in the format string. No macros would be
> allowed before the ';'.

Why not ?  And why ';' ?
Are you saying ';' cannot be used in a log message, now ?

> Maybe this separation could be strictened by using
> two separate arguments:
> 
> xnewsyslog(LOG_DAEMON | LOG_INFO, 
>            "User logged in", 
>            "%(user)s %(tty)s %(host)s",
>            "marcus", "ttyp6", host);

So how do I include random bits of printf-like formatting in the
event message ?  It looks like I should be able to!

> My original intention was to clearly mark the separation between human
> readable description and variable part. In my original suggestion this was
> the ';' though it may not have been emphasized enough.

It wasn't.

> > > 1) provide a clean API for sending tagged messages
> > > 2) provide a not-so-clean but easier to use interface based on the first
> > 
> > I think you need a (3) as well:
> > 
> > 3) provide a replacement for the current syslog(3) API that produces
> >    tagged messages.
> 
> I think 2) and 3) is the same. A completely syslog(3) compatible function
> could not generate tags, as there is no tagging in its arguments.

No, they're not because that's not the point of doing (3).

The point of doing (3) is to get syslog(3) to produce compatible output
with the desired formatting.  FWIW, there are implicit tags - pid,
hostname, program name, time - that can be marked up.

Doing (3) gets you a minimal update to a marked up output without
having to change *ANY* applications, today.

[...]

Sorry, that doesn't let me log raw (binary) data structures.

For that matter, using %(blah)foo just makes processing harder, not
easier and definately not "obvious".

If I see "%(user)s %(host)s" in a string somewhere, I would expect it
to be output somewhere as a whole, not in parts.  Since you're going
down vararg lane (or stdargs), you may as well use proper value pairing,
such as was suggested earlier - log(..., USER|STRING, username, ...)

It might not be as concise as the text string, but its not ambiguous
or misleading (using %-foo stuff for string replacement is not uncommon),
I believe.

Darren
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Previous message: tcleary2at_private: "Re: [logs] Syslog payload format"
• In reply to: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Next in thread: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Next in thread: Marcus J. Ranum: "Re: [logs] Syslog payload format"
• Reply: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 22:26:09 PST