Magosanyi Arpad wrote:
> A levelez�m azt hiszi, hogy Chris Calabrese a k�vetkez�eket �rta:
>
> > I agree that the ideal is a full MAC labeling/control system.
>
> We still can't understand each other. Maybe here is the point.
> Do you talk about the labels of the log source, not of the labels
> of objects subjects engaged in the event?
> In this case you need an encapsulation protocol for the labels.
> I don't know about one, but it is an issue which sould be addressed
> sooner or more sooner, but not in this WG.
> Communicating the labels with the encapsulation based on source IP/
> facility/priority/whatewer is another issue, just like an API for such
> a thing.
I want to be able to communicate three things:
1. What generated the log message. This can be derived
from a combination of the source IP address (or some
authentication information if present) and the source
process identification (ideally a process name, PID,
and thread ID, but facility will have to stand in
in many cases).
2. What to do with the message when it arrives. This
can be derived from rules that look at what generated
the message (see above), regular expressions, and/or
the message priority.
3. Who can look at the message when reporting off the
persistent message database.
It is # 3 that we're talking about here. My assertion
is that this can be derived based on what generated
the log message (i.e., item #1) and the message priority.
My (Unix centric) view is that the rules would be be a tuple of
logname (or null for any logname)
source-system (or null for any system)
source-facility (or null for any facility)
source-process-name (or null for any process - and btw you
might not be able to get this for every message)
min-message-priority (you can see anything at this level or higher)
It's not perfect. It totally ignores the possibility that
the source OS may support MAC labels. It totally ignores
the fact that message priority is not a perfect mapping
to "real" hierarchical labels. It totally ignores the fact that
source-facility and source-process name are not a perfect
mapping to "real" non-hierarchical labels. But it will
work awfully well in the real world based on the what I know
about current syslog usage. And this being a requirements doc,
implementors may implement "real" labels. I'm just pointing
out that they don't have to to have a 95% solution.
--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
[EMAIL PROTECTED]
.
