[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Logs-devel] simplifying LoGS rulesets
From: |
Jim Prewett |
Subject: |
[Logs-devel] simplifying LoGS rulesets |
Date: |
Tue, 16 May 2006 07:13:47 -0600 (MDT) |
Hi all,
I was going over my first set of slides (titled: LoGS - yet another log
analysis tool?) from LCI 2004, I think :). Even the very simple things we
came up with when LoGS was barely a baby was hard to explain (at venues
like LCI, etc. with technical audiences).
The first example rule (titled "simple rule" in the slides) looks like
this (i've removed the compiler declarations from the functions for
clarity):
;;;; 8 pairs of parens
(make-instance
'rule
:name 'default-rule
:match (lambda (message)
t)
:actions
;; LoGS 0.0.1 required a 3 element lambda list for the action function
;; this has been updated for LoGS 0.1.1 (current)
(list (lambda (message)
(print (message message)))))
IMO, this rule, while conceptually simple is swimming with parens. I
think this might be a good place to start. (If we can't make this easy to
express... )
One could imagine having the new rule description language syntax already
available which might reduce the example to something like:
;;;; 7 pairs of parens
(rule
named 'default-rule
matching function (lambda (message)
t)
doing (lambda (message)
(print (message message))))
It seems pretty clear to me that a lot of the complexity is going to be in
the functions that LoGS uses for specifying the match and then specifying
the resulting actions. If we had additional built-in stuff, I could
imagine that last example then reading something like this:
;;;; 1 pair of parens
(rule
named 'default-rule
matching function #'match-every-message
doing #'print-message)
without the new syntax, it would look like this:
;;;; 2 pairs of parens
(make-instance
'rule
:name 'default-rule
:match #'match-every-message
:actions
(list
#'print-message))
One thing I notice is that when you can remove the function creation from
the ruleset (take out all (lambda ...) and simular "code chunks") that the
complexity of writing your rule greatly reduces.
As a point of comparison, I decided to write this rule in Logsurfer and
SEC's syntax:
In Logsurfer, that would be written:
'.*' - - - 0 exec "/bin/echo $0"
In Logsurfer+, I believe that could also be written:
'.*' - - - 0 write -
(write is a new action in logsurfer+, i'm not sure if a version that
supports it has been released yet, I'm also not sure if my recollection of
the syntax is correct)
In SEC, that might be written:
# pattern could also be a perlfunc, but for the sake of clarity (and my
# sanity), I'll use the regexp pattern type
ptype=regexp
pattern=.*
action=logonly
Anyone have thoughts on ways to simplify rule specification?
Jim
James E. Prewett address@hidden address@hidden
Systems Team Leader LoGS: http://www.hpc.unm.edu/~download/LoGS/
Designated Security Officer OpenPGP key: pub 1024D/31816D93
HPC Systems Engineer III UNM HPC 505.277.8210
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Logs-devel] simplifying LoGS rulesets,
Jim Prewett <=