Re: [logs] Syslog payload format

From: Tevfik Karagulle (tevfikat_private)
Date: Thu Jan 02 2003 - 15:31:24 PST

  • Next message: marc: "Re: [logs] Syslog payload format"

    Hi folks,
    
    Discussion about -syslog payload format- has been around for a while.
    Interesting discussions and ideas are popping up and flying in every
    direction :-) I take it just an example.
    
     I feel that it is a little bit difficult (!) to get the whole picture,
    after weeks of mailings about the same subject. What about a discussion
    group ? In that way, it may be a lot easier to get an overview and a history
    of posted articles and threads.
    
    Best regards
    
    Tevfik Karagulle
    
    
    ----- Original Message -----
    From: "marc" <marcat_private>
    To: "Balazs Scheidler" <bazsiat_private>
    Cc: <toby.kohlenbergat_private>; <loganalysisat_private>
    Sent: Thursday, January 02, 2003 10:54 PM
    Subject: Re: [logs] Syslog payload format
    
    
    > You wrote:
    > > IMHO the granularity should be controlled by the application not the
    logging
    > > subsystem. Letting the application log *everything* and filter at the
    > > logging subsystem will cause severe performance loss.
    > >
    > > So I would not put effort into standardizing how application logging
    > > granularity is controlled.
    >
    > That can be solved [1]. Eg, idsa lets you upload a filtering rule into
    > the application [2]. I think a (withdrawn ?) X/Open proposal had
    something similar.
    >
    > For example the below rule will have the connection logger disconnect
    > from idsad and do its own logging [3], and you can do other stuff
    > like prefiltering:
    >
    > service tcplog:
    >   send autorule:string "%true:log file /var/log/idsa/tcplog"
    >
    > regards
    >
    > marc
    >
    > [1] Though you are free to argue that the solution introduces new
    > problems in a distributed system.
    >
    > [2] But only if the application allows it, ie calls idsa_open(=openlog)
    > with a flag (IDSA_F_UPLOAD) saying it is ok.
    >
    > [3] In practice there are complications, the rules sent back have hard
    > size limits and file permissions/chroots tend to trip you up.
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private
    > http://lists.shmoo.com/mailman/listinfo/loganalysis
    >
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:43:21 PST