I agree it's really nice to have those kinds of attributes in there. Maybe what I'm talking about then is a serial number in addition to CLSID, and in addition to whatever human-readable name. So something like: <rule provider='CzP' class='violation' name='czp-sshd-1' id=...CLSID... serial=1234567890> So you could use the name attribute for the human-readable part, keep the id's the way they currently are, and have a serial number for indexing. On Tue, Jun 29, 2010 at 12:08 PM, Peter Czanik <czanik@balabit.hu> wrote:
Hello,
2010-06-29 17:11 keltezéssel, Martin Holste írta:
My initial concern with the format of the pattern-db XML is with the CLSID-style ID's. I understand the advantages of CLSID's, but it is very expensive to create database indexes on them because of their enormous length. I would prefer to have an integer ID in the pattern XML somewhere. Other opinions?
Well, the current solution is the only guarantee, that the IDs are uniq. In my own rules I use a different naming for IDs, to make it more human readable. I use a combination of my nick name, program name and a number. For example:
<ruleset name='sshd' id='czp-sshd'> <rule provider='CzP' id='czp-sshd-1' class='violation'> <rule provider='CzP' id='czp-sshd-2' class='system'>
This is a way shorter than IDs in the sample database. And when used in a config file, it is a lot more easy to read. Of course, it is far from perfrect, but a lot more convenient.
Bye, CzP
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html