[syslog-ng] [announce] patterndb project
Balazs Scheidler
bazsi at balabit.hu
Thu Jul 1 12:53:56 CEST 2010
On Wed, 2010-06-30 at 21:13 -0500, Martin Holste wrote:
> Cool, I'll have a look at the OSE 3.2 roadmap.
>
> I should note that while I've done extensive testing in MongoDB, I'm
> currently using MySQL and a standard SQL schema for production. The
> main reason is speed, though I expect MongoDB to catch up eventually.
> CouchDB is extremely slow, comparatively, for sustained inserts, and I
> doubt it will ever be a viable option for high-performance logging.
> At any rate, a SQL schema would be fine with me.
>
> Yes, I mean UUID when I say CLSID. I think that requiring a central
> place to administer the ID's is actually a strength, not a weakness,
> because it encourages collaboration and peer review. By getting an
> ID, it means that the signature has been vetted. The
> EmergingThreats.net Snort signatures are borne from such a process and
> are much stronger because of the open discussion, debate, and peer
> review.
I understand, and I guess we could create a policy that makes it
possible to create a private ID space (similar to private IP addresses),
which is guaranteed not to collide with "official" IDs.
What about an
application-name[@provider.tld]
* official samples would only contain "application-name"
* private samples would have their domain name appended
For instance, the official ID for OpenSSH log patterns would be:
opensshd
Whereas if you wanted to create your samples for application foo, that
would look like:
foo at balabit.com
What do you think?
--
Bazsi
More information about the syslog-ng
mailing list