[syslog-ng] [patterndb] classification
Anton Chuvakin
anton at chuvakin.org
Sat Sep 4 19:57:33 CEST 2010
>> In CEE, OAS triad will likely be used as "default tags" for all messages.
>
> Is it a recursive hierarchy? e.g. is it possible to organize bunches to
> even higher level bunches?
Actually, we have not thought about it yet :-(
> Also what I see unsolved is how the user can easily sort messages into
> files/tables by bunch.
This probably has to be done inside the log analysis tool that is
aware of tags and their bunches.
> Although if I were to define multi-value name-value pairs the one above
> could expand to multiple file writes. This way writing by tags or by
> bunches should be very simple.
Multi-value N=V are evil. They kill log parsers and RDBMS :-) We did
think a lot about this conundrum of src_IP="10.10.1.2,10.10.1.3" and
might well recommend that it never happens. If we have to deaggregate
logs (thus exploding the volume) the whole thing would be a mess...
--
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Consulting: http://www.securitywarriorconsulting.com
Twitter: @anton_chuvakin
Google Voice: +1-510-771-7106
More information about the syslog-ng
mailing list