[syslog-ng] [announce] patterndb project
Balazs Scheidler
bazsi at balabit.hu
Tue Jul 13 12:45:03 CEST 2010
On Sat, 2010-07-10 at 14:56 -0500, Martin Holste wrote:
> Looking good. One picky thing: the line containing "NV pair names
> should only contain alphanumeric characters (a-zA-Z0-9)" should maybe
> include the underscore and dot in the regexp to avoid confusion, or at
> least the underscore.
done.
>
> Also, I think "generic" may not be the term you're looking for when
> describing your initial schema design. To me, "per-schema tables"
> better describes the layout, as technically, my method of dumping all
> logs into one table is more "generic" in that it's a one-size-fits-all
> table setup.
done.
>
> I'm noting that it's a bit difficult to discuss the patterndb schema
> and DB layouts because I keep wanting to refer to DB schemas, which is
> confusing. Could we instead call the patterndb schemas "rule sets,"
> as per the original patterndb.xml, instead of schemas? That way we
> know when discussing schemas that it can only refer to DB tables. It
> is more clear to me to say "one type of schema is to have one table
> per rule set."
well, the ruleset in patterndb refers to the application, rather than
the different log message types it emits. (e.g. a ruleset has a given
PROGRAM name which applies to all rules within the same ruleset).
It is quite a bit of work to rewrite the relevant sections, I'm not
against renaming, though.
The CEE project uses:
* taxonomy = the meaning of the event (e.g. user login)
* dictionary = the name-value pairs
The problem with the CEE naming is: taxonomy could be translated to our
"combination-of-schemas", more specifically the set of tags associated
with a message. And, the dictionary itself is taxonomy independent,
which I feel can be problematic in the long run.
--
Bazsi
More information about the syslog-ng
mailing list