From mboxrd@z Thu Jan  1 00:00:00 1970
From: Randy Zagar <zagar@arlut.utexas.edu>
Subject: Re: Linux-audit Digest, Vol 47, Issue 12
Date: Thu, 14 Aug 2008 09:35:43 -0500
Message-ID: <48A442BF.6050204@arlut.utexas.edu>
References: <20080814140427.18C0861A30F@hormel.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m7EEZtsP002790
	for <linux-audit@redhat.com>; Thu, 14 Aug 2008 10:35:55 -0400
Received: from ns2.arlut.utexas.edu (ns2.arlut.utexas.edu [146.6.211.1])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m7EEZiZi019030
	for <linux-audit@redhat.com>; Thu, 14 Aug 2008 10:35:45 -0400
Received: from ns5.arlut.utexas.edu (ns5.arlut.utexas.edu [10.4.1.6])
	by ns2.arlut.utexas.edu (8.13.1/8.13.1) with ESMTP id m7EEZi4x025382
	for <linux-audit@redhat.com>; Thu, 14 Aug 2008 09:35:44 -0500
Received: from [10.8.19.44] (bofh.arlut.utexas.edu [10.8.19.44])
	by ns5.arlut.utexas.edu (8.13.1/8.13.1) with ESMTP id m7EEZhls001318
	for <linux-audit@redhat.com>; Thu, 14 Aug 2008 09:35:43 -0500
In-Reply-To: <20080814140427.18C0861A30F@hormel.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Wednesday 13 August 2008 13:02:05 Steve Grub wrote:
> On Wednesday 13 August 2008 12:25:09 Klaus Heinrich Kiwi wrote:
>> > I like Mathew's idea of having a binary format though. Maybe it's
>> > possible to carry the legacy format for some time while we have a more
>> > robust (and extensible) binary format in parallel? And then having a
>> > binary format version tag within each record?
>>     
>
> Yes, there would have to be a migration path. I think we talked about XDR as a 
> possibility 4 years ago because its already inside the kernel. The kernel 
> guys at the time wanted to re-use something already inside or something that 
> was compact in its representation.
>
> What I believe lead to text based was the general feeling that logs should be 
> human readable with less, tail, or vi if need be.
>
> A problem with binary representations will be what happens with aggregated 
> big-endian and little-endian system logs?
>   
Aggregated logs from big-endian and little-endian systems should not be 
a problem if you use XDR...  the endian-ness of the cpu is completely 
irrelevant.

IMHO, text would be preferable, but I don't have a dog in this fight...

-RZ

-- 
Randy Zagar                               Sr. Unix Systems Administrator
E-mail: zagar@arlut.utexas.edu            Applied Research Laboratories
Phone: 512 835-3131                       Univ. of Texas at Austin