You wrote: > IMHO the granularity should be controlled by the application not the logging > subsystem. Letting the application log *everything* and filter at the > logging subsystem will cause severe performance loss. > > So I would not put effort into standardizing how application logging > granularity is controlled. That can be solved [1]. Eg, idsa lets you upload a filtering rule into the application [2]. I think a (withdrawn ?) X/Open proposal had something similar. For example the below rule will have the connection logger disconnect from idsad and do its own logging [3], and you can do other stuff like prefiltering: service tcplog: send autorule:string "%true:log file /var/log/idsa/tcplog" regards marc [1] Though you are free to argue that the solution introduces new problems in a distributed system. [2] But only if the application allows it, ie calls idsa_open(=openlog) with a flag (IDSA_F_UPLOAD) saying it is ok. [3] In practice there are complications, the rules sent back have hard size limits and file permissions/chroots tend to trip you up. _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:46:51 PST