Re: [logs] Syslog payload format

From: Balazs Scheidler (bazsiat_private)
Date: Thu Jan 02 2003 - 01:16:12 PST

  • Next message: Marcus J. Ranum: "Re: [logs] Syslog payload format"

    On Wed, Jan 01, 2003 at 05:27:27AM +1100, Darren Reed wrote:
    > In some mail from Balazs Scheidler, sie said:
    > > 
    > > > For that matter, using %(blah)foo just makes processing harder, not
    > > > easier and definately not "obvious".
    > > > 
    > > > If I see "%(user)s %(host)s" in a string somewhere, I would expect it
    > > > to be output somewhere as a whole, not in parts.  Since you're going
    > > > down vararg lane (or stdargs), you may as well use proper value pairing,
    > > > such as was suggested earlier - log(..., USER|STRING, username, ...)
    > > 
    > > Hmm... Is USER and STRING above a numeric constant, that what the operator
    > > '|' makes me believe so. We have to solve two problems:
    > > 
    > > 1) identifying the tag
    > USER is the tag, STRING is the type of data being passed.
    > I chose constants rather than freeform text to get around the problem
    > of different application developers using different tags for the same
    > thing.  Is it a user or login id or what...give them a finite pool and
    > let them choose one.
    I've also stated in my mail that macros could be used for tag naming.
    > > 2) create a handy interface for the programmer to format values
    > [...]
    > Now if this were java, each tag would be an object and the tag/value
    > pair would just be the result of serialising it.
    > Again, I don't necessarily want the programmer deciding how to format
    > the values aside from saying what type of data it is.
    > I don't want to see this kind of thing:
    > "srchost", "%16s", caller
    hmm... I know it's a problem to open another possibility for format string
    attacks. But forcing the programmer to format values first and emit log
    message later makes the interface difficult to use. You'd see code snippets
    like this then:
    char buf1[256], buf2[256];
    snprintf(buf, sizeof(buf), "%d", fd);
    strlcpy(buf2, inet_ntoa(ip), sizeof(buf2));
    xnewsyslog(..., "new connection accepted",
               IPADDR, buf2,
    	   PEERFD, buf1);
    my tag naming is not fortunate, but the point is: some kind of formatting is
    often required. Formatting is usually done with printf-like functions.
    > Plus, I doubt you can currently teach gcc about that for printf-style
    > format-arg checking.
    bad bet:
    int foo(char *format, ...) __attribute__((__format__ (__printf__, 1, 2)));
    PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 08:15:49 PST