[syslog-ng] [announce] patterndb project

Balazs Scheidler bazsi at balabit.hu
Tue Jul 13 12:45:03 CEST 2010


On Sat, 2010-07-10 at 14:56 -0500, Martin Holste wrote:
> Looking good.  One picky thing: the line containing "NV pair names
> should only contain alphanumeric characters (a-zA-Z0-9)" should maybe
> include the underscore and dot in the regexp to avoid confusion, or at
> least the underscore.

done.

> 
> Also, I think "generic" may not be the term you're looking for when
> describing your initial schema design.  To me, "per-schema tables"
> better describes the layout, as technically, my method of dumping all
> logs into one table is more "generic" in that it's a one-size-fits-all
> table setup.

done.

> 
> I'm noting that it's a bit difficult to discuss the patterndb schema
> and DB layouts because I keep wanting to refer to DB schemas, which is
> confusing.  Could we instead call the patterndb schemas "rule sets,"
> as per the original patterndb.xml, instead of schemas?  That way we
> know when discussing schemas that it can only refer to DB tables.  It
> is more clear to me to say "one type of schema is to have one table
> per rule set."

well, the ruleset in patterndb refers to the application, rather than
the different log message types it emits. (e.g. a ruleset has a given
PROGRAM name which applies to all rules within the same ruleset).

It is quite a bit of work to rewrite the relevant sections, I'm not
against renaming, though.

The CEE project uses:
  * taxonomy = the meaning of the event (e.g. user login)
  * dictionary = the name-value pairs

The problem with the CEE naming is: taxonomy could be translated to our
"combination-of-schemas", more specifically the set of tags associated
with a message. And, the dictionary itself is taxonomy independent,
which I feel can be problematic in the long run.

-- 
Bazsi



More information about the syslog-ng mailing list