Hi folks.
I'm working on the details of my XML-based logging proposal
so Alex can take it to the IETF bof, and have hit a bit of a
snag. I originally conceived of being able to eliminate
redundancy by doing something like this:
<CNTXT HOST=myhost PROG=AUDIT/tripwire
DATE=whatever>
<CNTXT MSG="new files detected">
<LOG DOC=/a/b/c />
<LOG DOC=/a/b/d />
<LOG DOC=/a/b/e />
</CNTXT>
<CNTXT MSG="deleted files detected">
<LOG DOC=/a/b/f />
<LOG DOC=/a/b/g />
<LOG DOC=/a/b/h />
</CNTXT>
</CNTXT>
That has a certain benefit, butI'm not certain it's really
the way to go.
Here are some other possibilities:
1. Use a unified tag instead of CNTXT and LOG. In this
case, only the inner-most entries are "real." This is
a trifle harder to parse in your brain, but a little
easier to describe in an XML schema:
<LOG HOST=myhost PROG=AUDIT/tripwire DATE=whatever>
<LOG MSG="new files detected">
<LOG DOC=/a/b/c />
<LOG DOC=/a/b/d />
<LOG DOC=/a/b/e />
</CNTXT>
<LOG MSG="deleted files detected">
<LOG DOC=/a/b/f />
<LOG DOC=/a/b/g />
<LOG DOC=/a/b/h />
</LOG>
</LOG>
2. Get rid of the nesting but allow multiple attribute
entries. This is easier to parse/understand, but it
breaks up what would otherwise be atomic log entries
and it feels a little strange having repeated
name=value declarations for the name name:
<LOG HOST=myhost PROG=AUDIT/tripwire DATE=whatever
MSG="new files detected" DOC=/a/b/c DOC=/a/b/d
DOC=/a/b/e />
<LOG HOST=myhost PROG=AUDIT/tripwire DATE=whatever
MSG="deleted files detected" DOC=/a/b/f DOC=/a/b/g
DOC=/a/b/h />
3. Get rid of the nesting, convert repeatable name=value
attributes into XML "elements," and make the message
the body of the LOG element. This is more XML-ish, but
still breaks up formerly atomic log entries.
<LOG HOST=myhost PROG=AUDIT/tripwire DATE=whatever>
new files detected
<DOC="/a/b/c"/>
<DOC="/a/b/d"/>
<DOC="/a/b/e"/>
</LOG>
<LOG HOST=myhost PROG=AUDIT/tripwire DATE=whatever>
deleted files detected
<DOC="/a/b/f"/>
<DOC="/a/b/g"/>
<DOC="/a/b/h"/>
</LOG>
4. Finally, allow the nesting to keep the logs joined, but
handle the message text and repeatable attributes as
above:
<LOG HOST=myhost PROG=AUDIT/tripwire DATE=whatever>
<MSG>new files detected
<DOC="/a/b/c"/>
<DOC="/a/b/d"/>
<DOC="/a/b/e"/>
</MSG>
</LOG>
<MSG>deleted files detected
<DOC="/a/b/f"/>
<DOC="/a/b/g"/>
<DOC="/a/b/h"/>
</LOG>
</LOG>
I'm in a quandary. What do you all think?
--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
[EMAIL PROTECTED]
.
