Re: [logs] Syslog payload format

From: Marcus J. Ranum (mjrat_private)
Date: Fri Jan 03 2003 - 07:21:59 PST

  • Next message: wolfgangat_private: "Re: [logs] Syslog payload format"

    >Regarding the API I really don't care to much for the details, but IMO
    >the closer the proposed API is to the classic syslog() API the easier
    >it will be to get application programmers to use it.
    
    I wonder if it'd be feasible evil to hook a subparser
    into a C parser and write something that exploded syslog()
    calls out of code and replaced them with the new thing?
    I'm busy as hell right now frying other fish but it
    sounds like it'd be a fun project. Just parse the %-s
    string, and build it into calls. You wouldn't be able to
    automatically assign the tag values, tho. Hm...
    
    At the very least it'd be a good idea to produce a simple
    2-pager for app writers telling them how to convert their
    code.
    
    Wanting to be as close to syslog as possible is a nice
    thought but I believe it's a dangerous one - the syslog
    API has so many things wrong with it that being compatible
    or even close to it will inevitably bring problems or
    impede progress.
    
    >What I'm missing the most in your API is the semantics: as long as the
    >"label" ist still a free form text I don't see much of an improvement
    >over the current situation.
    
    The idea is that there is a body of tags that are pre-defined
    and app-writers are supposed to use those tags wherever possible.
    The content of the tagged fields MAY be free form in some cases
    but in other cases will be defined (e.g.: PRIO - an int between 0 and 11)
    It'll be possible for an app writer to use their own tags if they
    need to go outside of the agreed-upon tag dictionary, but hopefully
    that won't need to happen much. Even if it does, we'll only have
    the fields that are custom tagged to figure out because everything
    else will be tagged to the dictionary. It seems a good compromise
    between too free form (current syslog) and overly structured (SNMP)
    
    mjr.
    
    
    
    ---
    Marcus J. Ranum				http://www.ranum.com
    Computer and Communications Security	mjrat_private
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:10:40 PST