[logs] syslog compatibility (was: Syslog payload format)

From: wolfgangat_private
Date: Fri Jan 03 2003 - 10:57:53 PST

  • Next message: H C: "Re: [logs] Windows Event Log Analysis"

    I think we mixed up different kinds of compatibility problems in
    our discussion that should be kept separated:
    A) Making the conversion from "classic" to "new" logging API easy.
    B) Enable the use of the "new" logging API even on systems having only
       a "classic" syslog back end.
    C) Getting the log data from "classic" applications into the "new"
       logging subsystem.
    Going more into the details:
    A) old API / new API:
       If the new API would resemble classical syslog enough so that
       changing an application to use the new API would be a job of
       a few minutes instead of a few days then it would certainly
       help to get more applications to move over. However I'm not sure
       if this can be achieved and could live without it.
    B) new API / old syslog:
       This kind of compatibility will be required IMO to get around
       the chicken/egg problem. You won't get open source developers
       to use the new API if that adds a dependancy on an as yet not
       widely used logging back end. Maybe we don't need to be able to
       rely on macros alone and can add a little conditionally compiled
       C code, but I think it is necessary that the availability of the
       new logging subsystem can be checked automatically at configure/
       compile time and that programs using the new API do produce
       "usable" (not "pretty") logs even if the new back end is not
       available. I don't think this should be to difficult, just
       generate a long text message with key/value-pairs, split if
       its to long and feed to syslog(3).
    C) old API / new syslog:
       We probably will have to deal with this situation for a pretty
       long time because there's a huge number of applications out there
       that can't or won't be changed for various reasons. The best
       solution I can think of would be to create a specialised kind
       of log relay demon. This demon would listen on the "classic"
       syslog ports and act as a log client to the new logging back end,
       relaying the messages flagged as "unparsed old style syslog".
       If we want to get fancy, we can add parser plugins that would
       parse known well formed messages from old applications and send
       them on as "parsed/reformatted old syslog" if they match the
       parser rules.
    Wolfgang Zenker                                  Mail: W.Zenkerat_private
    JPAVES Unix Online GmbH                          Fon:  (+49) 721 / 955 40 60
    Kaiserallee 87                                   Fax:  (+49) 721 / 955 40 62
    D-76185 Karlsruhe                                Web:  www.jpaves.com
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:54:49 PST