Re: [logs] Syslog payload format

From: marc (marcat_private)
Date: Fri Jan 03 2003 - 04:27:05 PST

  • Next message: Buck Buchanan: "[logs] Windows Event Log Analysis"

    You wrote:
    > I am thinking along the following lines:
    > 1) low level API, something resembling to Marcus's and your API
    > 2) a convinience API with format strings and varargs, calls 1) functions
    > 3) a syslog compatible wrapper (probably in an LD_PRELOAD-able shared object)
    It seems we have the greatest chance of getting a simple and quick
    standard at (1):
      - You are going build something like that
      - mjr has proposed some like that
      - I have something like that
      - Rainer suggested Open(), AddPair(Name, Value) and SendAndClose()
      - Darren prefers it over your printf or my variadic approach
    [Apologies if I have misrepresented any of the respective positions]
    I do not propose anything more than a small library
    wrapper which can translate the standard at (1) to idsa, your proposed
    implementation, or the old syslog.
    So here is the API:
      typedef struct evtlog_handle  EVTLOG_HANDLE;
      typedef struct evtlog_message EVTLOG_MESSAGE;
      EVTLOG_HANDLE *evtlog_open(char *service);
      int   evtlog_close(EVTLOG_HANDLE *handle);
      EVTLOG_MESSAGE *evtlog_new(EVTLOG_HANDLE *handle);
      int evtlog_log(EVTLOG_HANDLE *handle, EVTLOG_MESSAGE *message);
      int evtlog_addstring(EVTLOG_MESSAGE *message, char *label, char *value);
      int evtlog_addinteger(EVTLOG_MESSAGE *message, char *label, int  value);
    And here it is in action:
      EVTLOG_HANDLE *handle;
      EVTLOG_MESSAGE *msg;
      msg = evtlog_new(handle);
      evtlog_addstring(msg, "file", "/var/www/index.html");
      evtlog_addinteger(msg, "status", 500);
      evtlog_addstring(msg, RP_DATAMAP_SRCDEV, remote_ip);
      evtlog_addstring(msg, IDSA_EM, IDSA_EM_INTERNAL);
      evtlog_addinteger(msg, "old-syslog-priority", 3);
    It is really minimal, and it doesn't matter if the underlying
    format is typed or not, involves xml or plain text, sends using BEEP etc.
    Later this can be expanded, for example if people want to
    adjust settings:
      int evtlog_setting_crypto(EVTLOG_HANDLE *handle, int enablecrypto);
    Kyle's request for binary support could be done using:
      int evtlog_addbinary(EVTLOG_MESSAGE *message, char *label, int len, void *value);
    Fancy structure unpacking:
      int evtlog_addsockaddr(EVTLOG_MESSAGE *message, char *label, sockaddr *value);
    Formatted string:
      int evtlog_addformat(EVTLOG_MESSAGE *message, char *label, ...);
    But for the time being how about just agreeing on the names of the first
    6 functions and 2 typedefs ? If somebody prefers EventLog over EVTLOG,
    or thinks label should be Key, may we could sort that out ?
    Once we have that we can try to standardise the meaning, and argue over
    mjr's Logging Data Attribute Map, or my zoo of schemes (.ssm, .err,
    .fnl, .am, risk labels, etc). And people will have implementations
    which can be used to try out all the approaches.
    What do you think ?
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:11:15 PST