Re: [logs] Syslog payload format

From: marc (marcat_private)
Date: Thu Jan 02 2003 - 13:54:17 PST

  • Next message: Harry Hoffman: "Re: [logs] swatchrc file"

    You wrote:
    > IMHO the granularity should be controlled by the application not the logging
    > subsystem. Letting the application log *everything* and filter at the
    > logging subsystem will cause severe performance loss.
    > 
    > So I would not put effort into standardizing how application logging
    > granularity is controlled.
    
    That can be solved [1]. Eg, idsa lets you upload a filtering rule into
    the application [2]. I think a (withdrawn ?) X/Open proposal had                something similar.
    
    For example the below rule will have the connection logger disconnect
    from idsad and do its own logging [3], and you can do other stuff
    like prefiltering:
    
    service tcplog:
      send autorule:string "%true:log file /var/log/idsa/tcplog"
    
    regards
    
    marc
    
    [1] Though you are free to argue that the solution introduces new
    problems in a distributed system.
    
    [2] But only if the application allows it, ie calls idsa_open(=openlog)
    with a flag (IDSA_F_UPLOAD) saying it is ok.
    
    [3] In practice there are complications, the rules sent back have hard
    size limits and file permissions/chroots tend to trip you up.
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:46:51 PST