[syslog-ng] [announce] patterndb project
Martin Holste
mcholste at gmail.com
Tue Jun 29 20:22:44 CEST 2010
I agree it's really nice to have those kinds of attributes in there.
Maybe what I'm talking about then is a serial number in addition to
CLSID, and in addition to whatever human-readable name. So something
like:
<rule provider='CzP' class='violation' name='czp-sshd-1'
id=...CLSID... serial=1234567890>
So you could use the name attribute for the human-readable part, keep
the id's the way they currently are, and have a serial number for
indexing.
On Tue, Jun 29, 2010 at 12:08 PM, Peter Czanik <czanik at balabit.hu> wrote:
> Hello,
>
> 2010-06-29 17:11 keltezéssel, Martin Holste írta:
>> My initial concern with the format of the pattern-db XML is with the
>> CLSID-style ID's. I understand the advantages of CLSID's, but it is
>> very expensive to create database indexes on them because of their
>> enormous length. I would prefer to have an integer ID in the pattern
>> XML somewhere. Other opinions?
>>
> Well, the current solution is the only guarantee, that the IDs are uniq.
> In my own rules I use a different naming for IDs, to make it more human
> readable. I use a combination of my nick name, program name and a
> number. For example:
>
> <ruleset name='sshd' id='czp-sshd'>
> <rule provider='CzP' id='czp-sshd-1' class='violation'>
> <rule provider='CzP' id='czp-sshd-2' class='system'>
>
> This is a way shorter than IDs in the sample database. And when used in
> a config file, it is a lot more easy to read. Of course, it is far from
> perfrect, but a lot more convenient.
>
> Bye,
> CzP
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list