On Wed, 2010-10-20 at 21:57 -0400, Lars Kellogg-Stedman wrote:
I've been playing with 3.2beta1 recently and getting my feet wet with the patterndb support, which I haven't had a chance to work with before. I have a few thoughts regarding the patterndb rule syntax, mostly targeted at making things a little bit easier to work with.
- Rule IDs
Is there any particular reason why unique IDs were selected as rule identifiers? They're not particularly meaningful to people, and they're hard to talk about. It's much easier to say, "we're suddently seeing lots of matches for ssh-accept-connection" than it is to say, "we're suddenly seeing lots of matches for 4dd5a329-da83-4876-a431-ddcb59c2858c". With the current version of syslog-ng it looks like it's possible to use arbitrary identifiers in place of UUIDs, and that's what I'm doing for my local rulesets.
This even makes classification metadata more useful, because .classifier.rule_id=ssh-accept-connection is immediately meaningful, while a UUID is useless unless I go grepping around the database.
I've removed the requirement to use UUIDs for these IDs from the XML schema. Until I have a better idea, it just requires any kind of string. Here's the patch: commit f334d4363b2dd38190e74d502f8fc266628944a7 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Thu Oct 21 17:25:44 2010 +0200 patterndb-3.xsd: do not require UUID format for rule/ruleset IDs For now, we're going to use UUIDs in patterndb, but that may change later. -- Bazsi