Re: [logs] Syslog payload format

From: Marcus J. Ranum (mjrat_private)
Date: Thu Jan 02 2003 - 07:01:17 PST

  • Next message: wolfgangat_private: "Re: [logs] Syslog payload format"

    Balazs Scheidler wrote:
    >What do others think about whether typing of tags should be done or not?
    
    I don't think we need to type tags. The whole idea of tagging
    the data is to allow it to be implicity typed. So it's OK to
    convert to a string for simplicity, if you know the tag. There's
    no need to get overcomplex - otherwise we'll just have ASN.1 all
    over again.
    
    If I log something as: (using Paul and my data map..)
    PRIO=5
    SRCUSER=root
    SRCDEV=fratz.ranum.com
    TARGDEV=10.10.10.332
    
    I can infer the types quite easily from the data map. We KNOW
    PRIO is 0 - 11
    SRCUSER is a string
    SRCDEV is an address or name - so we can subparse it as such
    TARGDEV is an address or name
    
    IN FACT, "type inference from tag name" is what XML does, right?
    You know in the DTD that a XYZ is a particular type or format. So
    you don't need to carry the type info along with the data because
    it's been agreed-upon in advance. Whenever tagging comes up as a
    topic someone (it's about time...) pipes up and says something
    about compression or ineficciency of markup languages. Well, that's
    the whole reason for a DTD or agreed-upon tagging scheme: you carry
    the data model _OUTSIDE_ of the data. So you don't have to include
    all that nonsense. If you really care, you can check for it when
    someone passes a logging event IN to the system, or OUT of it, but
    it doesn't matter where because at any point in the process, the
    declarative type/formatting is external to the data itself.
    
    I've been extremely depressed reading this mailing list. The
    amount of additional complexity that keeps getting added to
    such a simple problem is really disappointing and we keep
    going in circles around the same issues. It's been 2 weeks,
    now, so it's about the scheduled time for someone new to the
    list to pop up and say "why not use XML"??   :(  :(  :(  Indeed,
    XML does _EXACTLY_ the kind of "type inference from tag name"
    (e.g.: the DTD) that I am talking about!!!  Now, we've done the
    "what would an API for a new syslog client side look like"
    discussion and have basically re-discovered syslog twice, varargs
    twice, my suggestion twice, and lord knows what else. Collectively,
    we're doing such a good job of beating horses to death without
    getting anyplace we may as well join the IETF. This stuff is so
    damn obvious it's not even funny. It's just logging, it's not
    brain surgery.
    
    Frustrated,
    mjr. 
    ---
    Marcus J. Ranum				http://www.ranum.com
    Computer and Communications Security	mjrat_private
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 08:15:53 PST