[Logs-devel] simplifying LoGS rulesets

logs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Logs-devel] simplifying LoGS rulesets

From:	Jim Prewett
Subject:	[Logs-devel] simplifying LoGS rulesets
Date:	Tue, 16 May 2006 07:13:47 -0600 (MDT)

Hi all,

I was going over my first set of slides (titled: LoGS - yet another log 
analysis tool?) from LCI 2004, I think :).  Even the very simple things we 
came up with when LoGS was barely a baby was hard to explain (at venues 
like LCI, etc. with technical audiences).

The first example rule (titled "simple rule" in the slides) looks like 
this (i've removed the compiler declarations from the functions for 
clarity):

;;;; 8 pairs of parens
(make-instance
  'rule
  :name 'default-rule 
  :match (lambda (message)
           t)
  :actions
  ;; LoGS 0.0.1 required a 3 element lambda list for the action function
  ;; this has been updated for LoGS 0.1.1 (current)
  (list (lambda (message)
           (print (message message)))))

IMO, this rule, while conceptually simple is swimming with parens.  I 
think this might be a good place to start.  (If we can't make this easy to 
express... )

One could imagine having the new rule description language syntax already 
available which might reduce the example to something like:

;;;; 7 pairs of parens
(rule
  named 'default-rule
  matching function (lambda (message)
                       t)
  doing (lambda (message)
          (print (message message))))

It seems pretty clear to me that a lot of the complexity is going to be in 
the functions that LoGS uses for specifying the match and then specifying 
the resulting actions.  If we had additional built-in stuff, I could 
imagine that last example then reading something like this:

;;;; 1 pair of parens
(rule
  named 'default-rule
  matching function #'match-every-message
  doing #'print-message)

without the new syntax, it would look like this:

;;;; 2 pairs of parens
(make-instance
  'rule
  :name 'default-rule
  :match #'match-every-message
  :actions
  (list
   #'print-message))

One thing I notice is that when you can remove the function creation from 
the ruleset (take out all (lambda ...) and simular "code chunks") that the 
complexity of writing your rule greatly reduces.

As a point of comparison, I decided to write this rule in Logsurfer and 
SEC's syntax:

In Logsurfer, that would be written:
'.*' - - - 0 exec "/bin/echo $0"

In Logsurfer+, I believe that could also be written:
'.*' - - - 0 write -

(write is a new action in logsurfer+, i'm not sure if a version that 
supports it has been released yet, I'm also not sure if my recollection of 
the syntax is correct)

In SEC, that might be written:
# pattern could also be a perlfunc, but for the sake of clarity (and my 
# sanity), I'll use the regexp pattern type
ptype=regexp
pattern=.*
action=logonly

Anyone have thoughts on ways to simplify rule specification?

Jim

James E. Prewett                    address@hidden address@hidden 
Systems Team Leader           LoGS: http://www.hpc.unm.edu/~download/LoGS/ 
Designated Security Officer         OpenPGP key: pub 1024D/31816D93    
HPC Systems Engineer III   UNM HPC  505.277.8210

[Prev in Thread]

Current Thread

[Next in Thread]

[Logs-devel] simplifying LoGS rulesets, Jim Prewett <=

Prev by Date: Re: [Logs-devel] LoGS userfriendliness?
Next by Date: [Logs-devel] defsystem loses with cmucl on filenames of form "name.ext1.ext2" (fwd)
Previous by thread: [Logs-devel] LoGS userfriendliness?
Next by thread: [Logs-devel] defsystem loses with cmucl on filenames of form "name.ext1.ext2" (fwd)
Index(es):
- Date
- Thread