[logs] regexless parsing, again?
Tina Bird
tbird at precision-guesswork.com
Wed Sep 19 11:40:12 PDT 2007
[Messages spliced together for logical flow...]
> Isn't this list moderated?
Yes, this list is moderated. I've been doing it solo (with occasional bursts
of assistance from Marcus) since its creation; I'm currently ably partnered
by Dee-Ann LeBlanc, of Splunk, who amongst other things is a Linux wizard.
I should point out for the sake of our non-Splunk vendor participants that I
moderate all posts originating from vendors, to try to minimize any vendor
bias. The list has been vendor neutral for a long time; I intend to keep it
that way.
> --- "Marcus J. Ranum" <mjr at ranum.com> wrote:
>
> > >> There have been some amazing advances in hardware
> > to do PCRE.
> >
> > That'd the the "hardware turbo-charged lipstick on a
> > pig" option.
> Being a nobody in this sector, I personally like
> getting different points of views and hearing about
> these new methods and ideas for doing things.
Please don't belittle yourself and your experience. There are certainly a
few of us who are more vocal than most list members. Whether or not that's a
good thing, I don't know -- more input is great, higher levels of traffic
might be annoying...but in any event, every person who participates in a
discussion has the same right and expectation of being heard.
Anyways, didn't you say you were involved with security at Cisco? To me,
that implies a certain level of operational exposure and experience that
hardly qualifies you as a "nobody" -- I expect you must have a lot of data
and conclusions from the ginormous Cisco infrastructure that are quite
relevant to this discussion.
> A post like this really just mute the conversation.
> These "I know better then you" posts have basically
> killed this interesting thread without adding anything
> to it...
Have you been on this list for a while? If you've followed mjr's typical
posting style, this message will not seem out of place -- and the rest of us
tend to laugh and go on, or completely ignore them.
As far as I can tell by reviewing the last few messages in this thread, we
are at a point in the discussion best summarized by Tom Le:
"More like: "Marcus, you should separate discussion of regexes vs. other
parsing approaches into separate categories: performance, initial ruleset
development cost, and on-going maintenance."
Each discussion has it's pros and cons with different cost(x) *
complexity(y) functions depending on the what you're doing and size of your
rulesets. I was just trying to explore a deeper level of discussion than
the usual 'regexes suck' or 'PCRE performance sucks' or 'maintaining 100,000
rules is ugly' type discussions."
So far I've seen few substantive responses to Tom's summary. Come on, folks,
carry on! I have a lot of opinions on the development of regexes and
rulesets, mostly from my days at Counterpane. I don't have time right this
very moment to summarize them, but I will do so later on today.
In the meantime, the other 1800+ of you can carry the thread ;-)
Hope that helps -- tbird
More information about the LogAnalysis
mailing list