Re: [logs] Syslog payload format

• Previous message: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Next in thread: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Reply: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Reply: Darren Reed: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Balazs Scheidler wrote:
>What do others think about whether typing of tags should be done or not?

I don't think we need to type tags. The whole idea of tagging
the data is to allow it to be implicity typed. So it's OK to
convert to a string for simplicity, if you know the tag. There's
no need to get overcomplex - otherwise we'll just have ASN.1 all
over again.

If I log something as: (using Paul and my data map..)
PRIO=5
SRCUSER=root
SRCDEV=fratz.ranum.com
TARGDEV=10.10.10.332

I can infer the types quite easily from the data map. We KNOW
PRIO is 0 - 11
SRCUSER is a string
SRCDEV is an address or name - so we can subparse it as such
TARGDEV is an address or name

IN FACT, "type inference from tag name" is what XML does, right?
You know in the DTD that a XYZ is a particular type or format. So
you don't need to carry the type info along with the data because
it's been agreed-upon in advance. Whenever tagging comes up as a
topic someone (it's about time...) pipes up and says something
about compression or ineficciency of markup languages. Well, that's
the whole reason for a DTD or agreed-upon tagging scheme: you carry
the data model _OUTSIDE_ of the data. So you don't have to include
all that nonsense. If you really care, you can check for it when
someone passes a logging event IN to the system, or OUT of it, but
it doesn't matter where because at any point in the process, the
declarative type/formatting is external to the data itself.

I've been extremely depressed reading this mailing list. The
amount of additional complexity that keeps getting added to
such a simple problem is really disappointing and we keep
going in circles around the same issues. It's been 2 weeks,
now, so it's about the scheduled time for someone new to the
list to pop up and say "why not use XML"??   :(  :(  :(  Indeed,
XML does _EXACTLY_ the kind of "type inference from tag name"
(e.g.: the DTD) that I am talking about!!!  Now, we've done the
"what would an API for a new syslog client side look like"
discussion and have basically re-discovered syslog twice, varargs
twice, my suggestion twice, and lord knows what else. Collectively,
we're doing such a good job of beating horses to death without
getting anyplace we may as well join the IETF. This stuff is so
damn obvious it's not even funny. It's just logging, it's not
brain surgery.

Frustrated,
mjr. 
---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjrat_private

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: wolfgangat_private: "Re: [logs] Syslog payload format"
• Previous message: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Next in thread: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Reply: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Reply: Darren Reed: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 08:15:53 PST