On Sat, 2010-07-10 at 14:56 -0500, Martin Holste wrote:
Looking good. One picky thing: the line containing "NV pair names should only contain alphanumeric characters (a-zA-Z0-9)" should maybe include the underscore and dot in the regexp to avoid confusion, or at least the underscore.
done.
Also, I think "generic" may not be the term you're looking for when describing your initial schema design. To me, "per-schema tables" better describes the layout, as technically, my method of dumping all logs into one table is more "generic" in that it's a one-size-fits-all table setup.
done.
I'm noting that it's a bit difficult to discuss the patterndb schema and DB layouts because I keep wanting to refer to DB schemas, which is confusing. Could we instead call the patterndb schemas "rule sets," as per the original patterndb.xml, instead of schemas? That way we know when discussing schemas that it can only refer to DB tables. It is more clear to me to say "one type of schema is to have one table per rule set."
well, the ruleset in patterndb refers to the application, rather than the different log message types it emits. (e.g. a ruleset has a given PROGRAM name which applies to all rules within the same ruleset). It is quite a bit of work to rewrite the relevant sections, I'm not against renaming, though. The CEE project uses: * taxonomy = the meaning of the event (e.g. user login) * dictionary = the name-value pairs The problem with the CEE naming is: taxonomy could be translated to our "combination-of-schemas", more specifically the set of tags associated with a message. And, the dictionary itself is taxonomy independent, which I feel can be problematic in the long run. -- Bazsi