In CEE, OAS triad will likely be used as "default tags" for all messages.
Is it a recursive hierarchy? e.g. is it possible to organize bunches to even higher level bunches?
Actually, we have not thought about it yet :-(
Also what I see unsolved is how the user can easily sort messages into files/tables by bunch.
This probably has to be done inside the log analysis tool that is aware of tags and their bunches.
Although if I were to define multi-value name-value pairs the one above could expand to multiple file writes. This way writing by tags or by bunches should be very simple.
Multi-value N=V are evil. They kill log parsers and RDBMS :-) We did think a lot about this conundrum of src_IP="10.10.1.2,10.10.1.3" and might well recommend that it never happens. If we have to deaggregate logs (thus exploding the volume) the whole thing would be a mess... -- Dr. Anton Chuvakin Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org LinkedIn: http://www.linkedin.com/in/chuvakin Consulting: http://www.securitywarriorconsulting.com Twitter: @anton_chuvakin Google Voice: +1-510-771-7106