[syslog-ng] [patterndb] classification

[Martin Holste]

> Multi-value N=V are evil. They kill log parsers and RDBMS :-) We did
> think a lot about this conundrum of src_IP="10.10.1.2,10.10.1.3" and
> might well recommend that it never happens. If we have to deaggregate
> logs (thus exploding the volume) the whole thing would be a mess...

Yes, they are evil.  I was re-reading the recent thread "[syslog-ng]
[announce] patterndb project," and I think we were in agreement that
tags are still a good thing, though.  So, how do we store the
multi-value N=V but also have the flexibility of tags?  My thought is
maybe we go with a "primary" tag which is the class, and then the
<tags> can be output via macro $TAG.  ($TAG will contain all values in
<tags>, right?)  So for the macro-based file name, you would only use
file("/var/log/messages.${.classifier.class}.log") and do your tag
grepping normally, where classifier.class would be the primary tag.  I
think this would work out better in the long run than trying to
concatenate tags for the class, because keeping track of the order
would be complicated, and it would definitely be better than sticking
to the logcheck's very limited range of class selections.