Re: [logs] Syslog payload format

From: wolfgangat_private
Date: Fri Jan 03 2003 - 07:36:57 PST

  • Next message: Russell Fulton: "Re: [logs] Syslog payload format"

    Marcus J. Ranum wrote:
    
    >> Regarding the API I really don't care to much for the details, but IMO
    >> the closer the proposed API is to the classic syslog() API the easier
    >> it will be to get application programmers to use it.
    
    > I wonder if it'd be feasible evil to hook a subparser
    > into a C parser and write something that exploded syslog()
    > calls out of code and replaced them with the new thing?
    > [..]
    
    More important would be IMO to design the new API in a way
    that it is possible to map it to "classic syslog" using simple
    C macros. If we can do this it would be possible to use the new
    API in e.g. open source projects regardless of the availability
    of the new logging subsystem. The usual (auto-)configuration
    step would then have to find out at compile time which logging
    subsystem is available. The "syslog mapping" should get at least
    that much information into the logs as the current syslog calls.
    
    > [..]
    > Wanting to be as close to syslog as possible is a nice
    > thought but I believe it's a dangerous one - the syslog
    > API has so many things wrong with it that being compatible
    > or even close to it will inevitably bring problems or
    > impede progress.
    
    Right, but I think we should look for a way to make transition
    to a new system as painless as possible.
    
    >> What I'm missing the most in your API is the semantics: as long as the
    >> "label" ist still a free form text I don't see much of an improvement
    >> over the current situation.
    
    > The idea is that there is a body of tags that are pre-defined
    > and app-writers are supposed to use those tags wherever possible.
    > The content of the tagged fields MAY be free form in some cases
    > but in other cases will be defined (e.g.: PRIO - an int between 0 and 11)
    > It'll be possible for an app writer to use their own tags if they
    > need to go outside of the agreed-upon tag dictionary, but hopefully
    > that won't need to happen much. Even if it does, we'll only have
    > the fields that are custom tagged to figure out because everything
    > else will be tagged to the dictionary. It seems a good compromise
    > between too free form (current syslog) and overly structured (SNMP)
    
    Sounds good. One thing to keep in mind is to clearly identify
    "free form" tags so we don't run into a situation where a revision
    of the tag dictionary adds tags that are already in use by some
    application.
    
    -- 
    Wolfgang Zenker                                  Mail: W.Zenkerat_private
    JPAVES Unix Online GmbH                          Fon:  (+49) 721 / 955 40 60
    Kaiserallee 87                                   Fax:  (+49) 721 / 955 40 62
    D-76185 Karlsruhe                                Web:  www.jpaves.com
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:10:57 PST