Re: [logs] Syslog payload format

• Previous message: Ed Schmollinger: "Re: [logs] SWATCH configuration"
• Next in thread: wolfgangat_private: "Re: [logs] Syslog payload format"
• Reply: wolfgangat_private: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Regarding the API I really don't care to much for the details, but IMO
>the closer the proposed API is to the classic syslog() API the easier
>it will be to get application programmers to use it.

I wonder if it'd be feasible evil to hook a subparser
into a C parser and write something that exploded syslog()
calls out of code and replaced them with the new thing?
I'm busy as hell right now frying other fish but it
sounds like it'd be a fun project. Just parse the %-s
string, and build it into calls. You wouldn't be able to
automatically assign the tag values, tho. Hm...

At the very least it'd be a good idea to produce a simple
2-pager for app writers telling them how to convert their
code.

Wanting to be as close to syslog as possible is a nice
thought but I believe it's a dangerous one - the syslog
API has so many things wrong with it that being compatible
or even close to it will inevitably bring problems or
impede progress.

>What I'm missing the most in your API is the semantics: as long as the
>"label" ist still a free form text I don't see much of an improvement
>over the current situation.

The idea is that there is a body of tags that are pre-defined
and app-writers are supposed to use those tags wherever possible.
The content of the tagged fields MAY be free form in some cases
but in other cases will be defined (e.g.: PRIO - an int between 0 and 11)
It'll be possible for an app writer to use their own tags if they
need to go outside of the agreed-upon tag dictionary, but hopefully
that won't need to happen much. Even if it does, we'll only have
the fields that are custom tagged to figure out because everything
else will be tagged to the dictionary. It seems a good compromise
between too free form (current syslog) and overly structured (SNMP)

mjr.



---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjrat_private

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: wolfgangat_private: "Re: [logs] Syslog payload format"
• Previous message: Ed Schmollinger: "Re: [logs] SWATCH configuration"
• Next in thread: wolfgangat_private: "Re: [logs] Syslog payload format"
• Reply: wolfgangat_private: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:10:40 PST