> > > Here's a sample program which builds an event record, shows it to > > > the user, and also sends it to the log: > > > > > > #include "evtlog.h" > > > #include <stdio.h> > > > #include <errno.h> > > > #include <stdlib.h> > > > > > > int > > > main(void) > > > { > > > EVTREC *e; > > > > IDSA_CONNECTION *handle; > > IDSA_EVENT *msg; > > > > > evt_open("evtfmt", LOG_AUTH); > > > > handle=idsa_open(argv[0], NULL, 0); > > > > So you are hiding global state from the user. Presumably > > that means thread locking in or around evt_open/log ? For > the sake of > > getting a standard wrapper that is ok with me though, I can > hide the > > idsa_connection handle > > I was under the impression that a single log 'connection' > will be used by a single application, therefore the global > state is stored in a single, global EVTCONFIG structure. Mmmhhhh... Thinking twice, I would prefer to have a "log handle". Think about an app that is expandable by plug-ins. Under Win32, you'll probably do this as in-process dlls. Now the add-in has the problem of knowing in what state the main app is. It is cleaner if each "user" (code) can aquire (and hopefully free) his own handle.... > I think it is difficult to completely forget about syslog > severities though. The major transport for these messages > will be syslog. We either need a function to map some 'new' > priority field to standard syslog priority, _or_ we use > syslog priority and require the application to define its own > tag if it wants more. > > The 11 valued field mjr has proposed was quite IDS specific. > The ones you use are IDSA specific, and I don't either of you > could work with the other's priority definition. Again, I would vote for syslog pri/fac. Keep in mind people know how to deal with this (well, at least some ;). This is a plus I would like to drag over. I like a minimal change approach. The more you change, the more you break. Especially when it comes to acceptance... (yes, I know I went to far with this approach in the timestamp area - but I nevertheless try ;)). > > > evt_tag_printf(e, 0, "test:printf", "%d %d", 5, 6); > > > > idsa_add_printf(msg, IDSA_LDM_PROTO, "HTTP/%d.%d", 1, 0); > > > > > es = evt_format(e); > > > printf("%s\n", es); > > > free(es); > > > > I don't have that in idsalite > > This function is needed only if the application wants to > perform its own logging but still wants to use the tagged > message format. I think it is very useful. It should stay there... > > > > > * tag naming, namespaces > > > not really the scope of this library but should be documented > > > somewhere > > > > I have tag names in idsa_schemes.h. I have included the logging > > data map under the namespace .ldm-1. I hope Marcus and Paul don't > > object - I mailed them on Sunday. > > I'll try to write something about tag naming. I suggest we get Marcus on board (well, he already is ;)) > I'd prefer using XML namespaces for tag naming. Other opinions? Sounds reasonable... Has prooven to solve this kind of problems... Marcus? Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 08:09:13 PST