[logs] EventLog library

From: Balazs Scheidler (bazsiat_private)
Date: Mon Jan 06 2003 - 09:54:25 PST

  • Next message: Bennett Todd: "Re: [logs] Syslog payload format"

    Hi,
    
    I have released the first public version of eventlog 0.1 which is available
    at 
    
    http://www.balabit.hu/downloads/eventlog/0.1/src/
    
    I have tried to do my best on using consistent naming, simple & flexible
    implementation, and although I'm quite sure there are some problems here and
    there I am more or less satisfied.
    
    I developed the library on Debian GNU/Linux 3.0 and did not compile it on
    anything else, so I'm sure there are some portability problems left.
    
    I have also included some documentation but I am sure it is not perfect now.
    
    The library currently supports three event representations:
    
    * plain, the one I was advocating for, with the ';' in it
    * xmlattr, where log tags are represented as XML attributes of a single XML tag
    * xmltag, where log tags are represented as XML tags, wrapped in a single XML tag
    
    Of course the special characters are escaped as necessary. The only output
    module currently supported is 'local' which uses the syslog() function in
    libc to fire off a message. This might be changed when a syslog() wrapper
    will be implemented.
    
    A couple of features worth noting:
    - TAG ordering
      Although log processing programs will not care about which order tags are
      listed, humans are a bit more picky. I assigned a priority to each tag
      which defines the order those tags are written.
    
    - Implicit tags
      The set of implicit tags (e.g. generated automatically) is not burnt in,
      you can provide additional functions which add tags to freshly initialized
      event records. The current one implemented in the library optionally adds
      these fields to each message:
    
        PID, PROG, ISOSTAMP, UTCSTAMP, TIMEZONE, MSGID 
    
      The administrator is free to pick which attributes are to be actually
      used. 
    
      MSGID is not calculated yet, it is meant to be some kind of checksum of
      the message description. (first 32 bits of the MD5 sum? it seems to be too
      heavy. Does anyone know how msgid(1M) on Solaris works?)
    
    - Configuration file
      The library reads /etc/eventlog.conf where the administrator can customize
      the way the library works. Its format is described in doc/DESIGN.txt
    
    - TAGS are defined as strings, however a clear roadmap should be provided
      how the tag name should be chosen. I suggest a format like this:
      'namespace:tagname'. The tags in different namespaces can be standardized
      then. The namespace can be omitted in case of often used tags like
      PID.
    
    Here's a sample program which builds an event record, shows it to the user,
    and also sends it to the log:
    
    #include "evtlog.h"
    #include <stdio.h>
    #include <errno.h>
    #include <stdlib.h>
    
    int
    main(void)
    {
      EVTREC *e;
      char *es;
      
      evt_open("evtfmt", LOG_AUTH);
      evt_rec_init(&e, LOG_INFO, "Test message with an embedded ';' in it. It also contains an <XML> like tag.");
      evt_tag_str(e, 0, "test:tag", "'value'");
      evt_tag_str(e, 0, "test:tag2", "\n\n\n\n");
      evt_tag_int(e, -10, "test:fd", fileno(stderr));
      evt_tag_errno(e, -5, "test:error", EAGAIN);
      evt_tag_printf(e, 0, "test:printf", "%d %d", 5, 6);
      
      es = evt_format(e);
      printf("%s\n", es);
      free(es);
      
      evt_log(e);
      
      evt_rec_free(e);
      return 0;
    }
    
    The way the message is formatted can be controlled by the /etc/eventlog.conf
    file:
    
    ---- quote ----
    outmethod local
    format xmltag
    implicit_tags 0x3f
    ---- quote ----
    
    outmethod: only local is defined, which uses syslog()
    format: one of plain|xmltag|xmlattr
    implicit_tags: bit fields, look at the source which bit means what
    
    I also faced a couple of problems I either solved or left open. These are:
    
    * tag naming, namespaces 
      not really the scope of this library but should be documented somewhere
    
    * tag ordering
      currently implemented as a number assigned to tags
    
    * character set?	 
      should we support different character sets? I think we should but I'm not
      sure.
    
    * output modules character conversion
      should we use a single character encoding on the wire (UTF8?) would it be
      mandatory or it should be configurable?
    
    * how to store the (prio, tagname) tuple?
      I assigned a priority to tags to support tag ordering. This is done by
      using functions like this:
        evt_tag_str(e, 10, "testtag", "value")
    
      Currently I defined macros like this:
        #define EVT_TAG_TESTTAG	10, "testtag"
    
      which can be substituted in function calls like this:
        evt_tag_str(e, EVT_TAG_TESTTAG, "value")
    
      However I don't like this too much. Maybe a separate struct to specify 
      tags should be defined, but that would bloat the caller's code.
    
    * syslog facility/priority mapping?
    
      The syslog facility and priority values are currently mandatory, they
      might be converted to simple tags, but how to send messages which do not
      specify them?
    
    
    What still needs to be done:
    
    Features of the library:
      * a friendlier function interface I've mentioned in one of my earlier
        mails
      * a syslog wrapper
      * more output modules: UDP, TCP, BEEP (BEEP is tricky to implement using a
        blocking scheme though)
      * some optimization here and there (small & many memory allocations for
        example)
      * better configuration parsing
      * portability fixes (configure script is present but is not really useful)
    
    Administrative:
      * a policy to define tags
      * a set of standard tags for different applications
    
    And finally:
      * applications, applications, applications
    
    To help the final step, I'm going to convert syslog-ng to emit messages
    using eventlog, and also schedule it into our Zorp project.
    
    I think the 'administrative' part is really important to become successful.
    
    I would appreciate some feedback.
    
    PS: the library is about 1000 lines of code:
          13%    copyright headers
           5%    comments
         15-20%  structure & function definitions
    
    -- 
    Bazsi
    PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 19:48:42 PST