[syslog-ng] [RFC]: Pattern matching & corellation ideas

[Evan Rempel]

> The way to make pattern writing easier, is not really the language
> itself (it does help if it is not cryptic; both grok and patterndb
> are. Compact, but cryptic), but the provided tools. Give people good
> tools, and they won't care the least bit about what language the tool
> produces as output.
> 
> Which brings me to another benefit of using a Clojure-compatible syntax
> for the PoC: it's easy to manipulate from Clojure *AND* ClojureScript
> too. It wouldn't be too hard to knock up a little web app that presents
> you with a bunch of logs, and you can interactively develop patterns,
> without ever having to look at the code produced under the hood.
> 
> Same could be done with Grok or PatternDB too, I suppose, but I'm not
> going to touch either from an application running in the browser.

And that is exactly what we are doing.
We are building a database that has CEE classifications of events and all of
the tag related goodness. Thne a script pulls all of this out of the database
and produces the XML.

I never look at XML again. Just patterns, tags, and classifications.

We are adding tags for event notification, incident reporting, threshhold
measurements etc. All of this controls syslog-ng's message routing
to program destinations that then make tickets, trigger nagios probes
and plug into the rest of our infrastructure.

Who want's to look at ANY container language. As soon as I have more than
a couple of hundred patterns I need an interface tool kit anyway.


-- 
Evan