Re: [logs] Syslog payload format

• Previous message: Balazs Scheidler: "Re: [logs] Syslog payload format"
• In reply to: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Next in thread: wolfgangat_private: "Re: [logs] Syslog payload format"
• Reply: wolfgangat_private: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You wrote:
> I am thinking along the following lines:
> 
> 1) low level API, something resembling to Marcus's and your API
> 2) a convinience API with format strings and varargs, calls 1) functions
> 3) a syslog compatible wrapper (probably in an LD_PRELOAD-able shared object)

It seems we have the greatest chance of getting a simple and quick
standard at (1):

  - You are going build something like that
  - mjr has proposed some like that
  - I have something like that
  - Rainer suggested Open(), AddPair(Name, Value) and SendAndClose()
  - Darren prefers it over your printf or my variadic approach

[Apologies if I have misrepresented any of the respective positions]

I do not propose anything more than a small library
wrapper which can translate the standard at (1) to idsa, your proposed
implementation, or the old syslog.

So here is the API:

  typedef struct evtlog_handle  EVTLOG_HANDLE;
  typedef struct evtlog_message EVTLOG_MESSAGE;

  EVTLOG_HANDLE *evtlog_open(char *service);
  int   evtlog_close(EVTLOG_HANDLE *handle);

  EVTLOG_MESSAGE *evtlog_new(EVTLOG_HANDLE *handle);
  int evtlog_log(EVTLOG_HANDLE *handle, EVTLOG_MESSAGE *message);

  int evtlog_addstring(EVTLOG_MESSAGE *message, char *label, char *value);
  int evtlog_addinteger(EVTLOG_MESSAGE *message, char *label, int  value);

And here it is in action:

  EVTLOG_HANDLE *handle;
  EVTLOG_MESSAGE *msg;

  handle=evtlog_open("yet-another-httpd");
  ...
  msg = evtlog_new(handle);
  evtlog_addstring(msg, "file", "/var/www/index.html");
  evtlog_addinteger(msg, "status", 500);
  evtlog_addstring(msg, RP_DATAMAP_SRCDEV, remote_ip);
  evtlog_addstring(msg, IDSA_EM, IDSA_EM_INTERNAL);
  evtlog_addinteger(msg, "old-syslog-priority", 3);
  evtlog_log(message);
  ...
  evtlog_close(handle);

It is really minimal, and it doesn't matter if the underlying
format is typed or not, involves xml or plain text, sends using BEEP etc.
Later this can be expanded, for example if people want to
adjust settings:
  int evtlog_setting_crypto(EVTLOG_HANDLE *handle, int enablecrypto);

Kyle's request for binary support could be done using:
  int evtlog_addbinary(EVTLOG_MESSAGE *message, char *label, int len, void *value);

Fancy structure unpacking:
  int evtlog_addsockaddr(EVTLOG_MESSAGE *message, char *label, sockaddr *value);

Formatted string:
  int evtlog_addformat(EVTLOG_MESSAGE *message, char *label, ...);

But for the time being how about just agreeing on the names of the first
6 functions and 2 typedefs ? If somebody prefers EventLog over EVTLOG,
or thinks label should be Key, may we could sort that out ?

Once we have that we can try to standardise the meaning, and argue over
mjr's Logging Data Attribute Map, or my zoo of schemes (.ssm, .err,
.fnl, .am, risk labels, etc). And people will have implementations
which can be used to try out all the approaches.

What do you think ?

regards

marc
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Buck Buchanan: "[logs] Windows Event Log Analysis"
• Previous message: Balazs Scheidler: "Re: [logs] Syslog payload format"
• In reply to: Balazs Scheidler: "Re: [logs] Syslog payload format"
• Next in thread: wolfgangat_private: "Re: [logs] Syslog payload format"
• Reply: wolfgangat_private: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:11:15 PST