[syslog-ng] Thoughts on patterndb syntax

[Martin Holste]

> This even makes classification metadata more useful, because
> .classifier.rule_id=ssh-accept-connection is immediately meaningful,
> while a UUID is useless unless I go grepping around the database.
>

You can do whatever you want with the rule id as far as I know.  I use
straight integers for my rule id's so that I can use an int column in
my database schema.  That said, I haven't found a particularly good
use for the rule id's yet--I guess it's more for posterity.

Note that for the kinds of things you're doing, <tags> is a good way
of attaching arbitrary values that will hit on greps for later because
you can standardize them across different rules and you can attach an
arbitrary number of them.

> When this occurs throughout the ruleset, and multiple times within a
> single message, it really lowers the readability of the rules.

I guess for me, readability is pretty far down on the list of features
I want poor Bazsi slaving away on, and that's mainly because pdbtool
does such a good job of verifying that my patterns match on exactly
what I think they do.  The other thing is that I think a lot of us are
planning on using patternize to do auto pattern generation, and so if
all goes to plan, humans won't have to be looking at these very often.
 On the other hand, I recognize that the easier it is to author rules,
the more community contribution there will be.