[syslog-ng] Thoughts on patterndb syntax

Balazs Scheidler bazsi at balabit.hu
Thu Oct 21 17:26:35 CEST 2010


On Wed, 2010-10-20 at 21:57 -0400, Lars Kellogg-Stedman wrote:
> I've been playing with 3.2beta1 recently and getting my feet wet with
> the patterndb support, which I haven't had a chance to work with
> before.  I have a few thoughts regarding the patterndb rule syntax,
> mostly targeted at making things a little bit easier to work with.
> 
> - Rule IDs
> 
> Is there any particular reason why unique IDs were selected as rule
> identifiers?  They're not particularly meaningful to people, and
> they're hard to talk about.  It's much easier to say, "we're suddently
> seeing lots of matches for ssh-accept-connection" than it is to say,
> "we're suddenly seeing lots of matches for
> 4dd5a329-da83-4876-a431-ddcb59c2858c".  With the current version of
> syslog-ng it looks like it's possible to use arbitrary identifiers in
> place of UUIDs, and that's what I'm doing for my local rulesets.
> 
> This even makes classification metadata more useful, because
> .classifier.rule_id=ssh-accept-connection is immediately meaningful,
> while a UUID is useless unless I go grepping around the database.

I've removed the requirement to use UUIDs for these IDs from the XML
schema.

Until I have a better idea, it just requires any kind of string. Here's
the patch:

commit f334d4363b2dd38190e74d502f8fc266628944a7
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Thu Oct 21 17:25:44 2010 +0200

    patterndb-3.xsd: do not require UUID format for rule/ruleset IDs


For now, we're going to use UUIDs in patterndb, but that may change
later.

-- 
Bazsi




More information about the syslog-ng mailing list