[logs] regexless parsing, again?
Mordechai T. Abzug
morty at frakir.org
Fri Sep 14 02:18:55 PDT 2007
On Thu, Sep 13, 2007 at 06:55:23PM -0400, Marcus J. Ranum wrote:
> - Yes, it will use a pseudo-XML like intermediate form. close enough
> to XML to annoy those of us who hate XML but incompatible
> enough with XML to annoy the XML nazis.
> - It will be embeddable as a re-entrant library and should plug into
> pretty much anything.
> - It will not be syslog-specific.
Is the intent to eliminate the need for manual configuration, or just
to exchange manual regex configuration for a manual lex+yacc-style
setup?
If the former, more power to you.
If the latter, you may be trading in one kind of tyranny for another
kind of tyranny. A lex+yacc setup will still require lots of
intervention and expertise. You might get better performance, but you
may also run into the limits of LALR(1); logs can need a lot of
lookahead. If you put in more lookahead, you'll start running into
the same performance problems as regexes.
Anyway, looking forward to whatever you come up with!
- Morty
More information about the LogAnalysis
mailing list