Re: [logs] Syslog payload format

From: Marcus J. Ranum (mjrat_private)
Date: Fri Jan 03 2003 - 07:50:34 PST

  • Next message: swatch swatch: "Re: [logs] swatchrc file"

    At 04:36 PM 1/3/2003 +0100, wwMarcus J. Ranum wrote:
    >More important would be IMO to design the new API in a way
    >that it is possible to map it to "classic syslog" using simple
    >C macros.
    The only way to do that is to support untyped freeform log
    %-subs text. If you do that, what's the point of the whole exercise?
    May as well just have a function called "syslog()" that
    does all the syslog stuff except uses tagged date/timestamp
    and machine-ID and priority. In which case the end result of
    all this discussion is a syslog that is only a tiny bit
    less sucky than the current one, which everyone will use
    for everything.  (Let's see, now we've come full-circle to
    the same discussion we had 2 weeks ago..)
    To make progress, you must slay the demon of backwards
    >Right, but I think we should look for a way to make transition
    >to a new system as painless as possible.
    I don't think that's possible, frankly. I'd rather have
    a transition that took advantage of the full value of the
    system than a transition that basically re-implemented
    what we already have with a bunch of enhancements nobody
    >Sounds good. One thing to keep in mind is to clearly identify
    >"free form" tags so we don't run into a situation where a revision
    >of the tag dictionary adds tags that are already in use by some
    I'd suggest that the "known tags" be prefixed with a
    prefix indicating that they are such. I.e: "EVT_DATE"
    or whatever. Then just establish the convention that nobody
    defines their own "EVT_*" tags.
    Marcus J. Ranum
    Computer and Communications Security	mjrat_private
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:09:31 PST