Re: [logs] Syslog payload format

From: Marcus J. Ranum (mjrat_private)
Date: Thu Jan 02 2003 - 10:58:03 PST

  • Next message: Marcus J. Ranum: "Re: [logs] Syslog payload format"

    Marcus J. Ranum wrote:
    >newev = eventlog_new();
    I forgot to mention an important design consideration I hid
    within the example above.
    Since each new value that gets added to an event record is
    an individual call to an API there is no need to worry
    about calls stepping on top of eachother if you're doing
    For example, imagine I have a function called 
    char *itoa(int n);
    which converts an into to a string using an internal static
    buffer. OK we know that's a bad idea but it's convenient and
    lots of programmers will use something like it in the code
    that calls stuff.
    Now assume we have a logging API that takes all its params
    on a single call. Then you hook itoa into a call to the logging
    function in a manner that looks like:
    and of course it blows up and everyone is back to allocating
    buffers and life just sucks.
    Another consideration is code checkability. If you use a calling
    structure that is very simple and avoids varargs and %-substitutions
    you can easily declare function prototypes that are going to take
    advantage of the ANSI C features* i.e.:
    extern  int eventlog_addvalue(Event *,const int,char *);
    extern  int eventlog_addvalue_int(Event *,const int,int);
    It may mean an extra function call or two but it makes for
    simpler code, more readable code, and, actually, more error-checkable
    code if you use the approach I outlined.
    (* useless features, but that's another discussion) 
    Marcus J. Ranum
    Computer and Communications Security	mjrat_private
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:49:53 PST