[syslog-ng] [patterndb] classification

Martin Holste mcholste at gmail.com
Mon Sep 6 23:55:07 CEST 2010


> What I'm thinking right now is to create the possibility to create a
> "tagdb", independently from the patterndb database (although they must
> play hand-in-hand).
>
> This tagdb would define the tag hierarch (tags in bunches basically) and
> could perhaps also associate type with the tags.
>

That would be really nice, but it sounds like a lot of effort will be
required on your part.  Still, sounds good if you're up for the
maintenance.

> <tagdb>
>  <bunch name="security">
>    <tag type="object" name="flowevt"/>
>    <tag type="action" name="secevt"/>
>  </bunch>
>  <bunch name="storage">
>    <tag type="object" name="file"/>
>    <tag type="object" name="database"/>
>  </bunch>
>  <tag type="class" name="violation"/>
>  <tag type="class" name="security"/>
>  <tag type="class" name="system"/>
>  <tag type="class" name="unknown"/>
>  <tag name="just-a-simple-tag-without-type"/>
> </tagdb>
>

This seems workable, but to me, all that is required is a standard
list of classes and tags to use as a guide for contributions.  People
can pick the most important tag to be the class name, and then just
apply the rest as tags.  A worthwhile discussion could take place on
whether the most general or most specific tag should be used for the
class.  This format would still comply with the CEE requirements as
long as all of the tags needed are present.  So, it would look more
like:

.classifier.class="security"
<tags>
 <tag>flowevt</tag> <!--object-->
 <tag>deny</tag> <!--action-->
 <tag>success</tag> <!--status-->
</tags>

Or, you could be explicity with the CEE values:
<tag>object.flowevt</tag>

> For some reason I rather like type tags, even though it is somewhat more
> bureaucratic: users/pattern authors should be free to create their tags
> without limitation.
>
> Opinions?

I agree.


More information about the syslog-ng mailing list