[syslog-ng] [announce] patterndb project

Balazs Scheidler bazsi at balabit.hu
Wed Jun 30 17:31:15 CEST 2010 

On Tue, 2010-06-29 at 10:11 -0500, Martin Holste wrote:
> This is awesome.  As I've written about previously, I've used the
> pattern-db enough to know how powerful and efficient it is, and I am
> doing all my logging with it.  My main use is for log classification
> and field parsing, which normalizes logs down to something that can
> easily be put in a database.  The classification helps with not only
> quickly identifying types of logs, but also higher-level ideas like
> log retention (so I archive important logs) and permissions (so people
> like web developers can have access to certain logs).  The field
> parsing is great for things like Snort and firewall logs, as well as
> web server logs.
> 
> If you use a NoSQL-style database, such as MongoDB or CouchDB, you
> don't have to worry about fitting fields into a rigid schema since
> there is no concept of "columns."  That works out great for pattern-db
> because you can specify any field/value pairs in the pattern and then
> have Mongo write it as-is so that some records will be (_id:1,
> program:"snort", srcip:x.x.x.x} and others will be {_id:2,
> program:"sendmail", to_address:"person at example.com"} .  They key is
> that you don't have to know ahead of time what fields you will be
> parsing in order to design a db schema.  That means when new patterns
> are released, the fields can be named anything without breaking your
> schema.

Great to know.

I noted the MongoDB/CouchDB as a possible project for plugin
development. (hint: see the syslog-ng OSE 3.2 tree) this could perhaps
be an alternative to my schema-based SQL destination (on the current
roadmap)

> 
> My initial concern with the format of the pattern-db XML is with the
> CLSID-style ID's.  I understand the advantages of CLSID's, but it is
> very expensive to create database indexes on them because of their
> enormous length.  I would prefer to have an integer ID in the pattern
> XML somewhere.  Other opinions?

I don't attach to much to UUIDs (I guess that's what you mean under
CLSID), but if we are not using something like UUID, then we need a
central place to administer the IDs.

Do you thing that's acceptable?

> 
> On Fri, Jun 25, 2010 at 10:23 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:


-- 
Bazsi

More information about the syslog-ng mailing list