[logs] syslog compatibility (was: Syslog payload format)

• Previous message: Mikael Olsson: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think we mixed up different kinds of compatibility problems in
our discussion that should be kept separated:

A) Making the conversion from "classic" to "new" logging API easy.

B) Enable the use of the "new" logging API even on systems having only
   a "classic" syslog back end.

C) Getting the log data from "classic" applications into the "new"
   logging subsystem.

Going more into the details:

A) old API / new API:
   If the new API would resemble classical syslog enough so that
   changing an application to use the new API would be a job of
   a few minutes instead of a few days then it would certainly
   help to get more applications to move over. However I'm not sure
   if this can be achieved and could live without it.

B) new API / old syslog:
   This kind of compatibility will be required IMO to get around
   the chicken/egg problem. You won't get open source developers
   to use the new API if that adds a dependancy on an as yet not
   widely used logging back end. Maybe we don't need to be able to
   rely on macros alone and can add a little conditionally compiled
   C code, but I think it is necessary that the availability of the
   new logging subsystem can be checked automatically at configure/
   compile time and that programs using the new API do produce
   "usable" (not "pretty") logs even if the new back end is not
   available. I don't think this should be to difficult, just
   generate a long text message with key/value-pairs, split if
   its to long and feed to syslog(3).

C) old API / new syslog:
   We probably will have to deal with this situation for a pretty
   long time because there's a huge number of applications out there
   that can't or won't be changed for various reasons. The best
   solution I can think of would be to create a specialised kind
   of log relay demon. This demon would listen on the "classic"
   syslog ports and act as a log client to the new logging back end,
   relaying the messages flagged as "unparsed old style syslog".
   If we want to get fancy, we can add parser plugins that would
   parse known well formed messages from old applications and send
   them on as "parsed/reformatted old syslog" if they match the
   parser rules.

-- 
Wolfgang Zenker                                  Mail: W.Zenkerat_private
JPAVES Unix Online GmbH                          Fon:  (+49) 721 / 955 40 60
Kaiserallee 87                                   Fax:  (+49) 721 / 955 40 62
D-76185 Karlsruhe                                Web:  www.jpaves.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: H C: "Re: [logs] Windows Event Log Analysis"
• Previous message: Mikael Olsson: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:54:49 PST