On Tue, 9 Oct 2012, Miloslav Trmac wrote:
----- Original Message -----
> If we look at this, there is a natural nesting that occurs. First the
> application data is records, with whatever fields they wish. Then, the
> data is wrapped by the log system, similar to the syslog header vs.
> content, though we probably want to be more flexible in the "header"
> fields. I think this is some of what David was explaining with his
> "trusted" fields. They are not "trusted" from the point of
security, but
> the fact that they are placed there by a more trusted service and can be
> thought of as being more reliable.
>
> Later additions can then wrap the original events.
>
> The only problem with this approach is that the most used information
> from the original event ends up buried within this nesting of
> Matryoshkas.
Could we not start reevaluating the very core of the design, and perhaps
(I know, I want a lot...) just agree on the solution that has already
been implemented, even if suboptimal?
While we shake our heads at CEE changing things, we discuss exactly the
same thing here....
(I'm quite willing to prepare patches to Fedora-relevant components to
get the field names changed to whatever the consensus is - once more.
A second change would make me very grumpy.)
Once this is out in the real world, we're going to have to live with it
for a long time. This is about our last chance to fix anything. We don't
want to make major changes, but I do think we need some way to protect
some fields, and I think a reserved prefix/subtree is far better than
trying to protect individual fields.
David Lang