messagestore.xml draft

Francis J. Lacoste flacoste at logreport.org
Sat Feb 9 19:46:06 CET 2002 

On Thu, Feb 07, 2002 at 05:39:29PM +0100, Joost van Baal wrote:
After reviewing the qopper, courier, UW-Washington IMAP and Netscape
Messaging Server log files, I have a few suggestions to the proposed 
schema.

> >
> > <lire:field name="time"                type="timestamp"/>

What does this time represent ? In all except qpopper, this can be 
the session start time. (In QPopper, we only have the time at which the
Stat event is logged, which I guess is at the end).

I suggest that we name this field start_time and that we add a
session_length field 

<lire:field name="session_length" type="duration"/>

> > <lire:field name="remote_host"         type="hostname"/>
> > <lire:field name="remote_ip"           type="ip"/>

Fine.

> > <lire:field name="downloaded_size"     type="bytes"/>
> > <lire:field name="downloaded_message"  type="int"/>
> > <lire:field name="stored_size"         type="bytes"/>
> > <lire:field name="stored_message"      type="int"/>

With courier, we can distinguish between headers and body download.
(top, retr in POP, headers, body in IMAP). Should we split this into

headers_dowload, msg_download, etc. 

Should we also cover the deleted (logged by qpopper) and new mail
(logged by UW) information?

> > <lire:field name="username"            type="string"/>
> >
>

I'd like to add the following field:

- protocol/string (to know if this was a IMAP, IMAP/SSL, POP, POP/SSL session,
  etc.)
- login_type/string (for service that logs the login type: plaintext, CRAM-MD5,
  etc.)
- error_msg/string (for failed login, session closed abnormally, etc.)

[...]

> When dealing with imap or pop logfiles, we could split it in a
> login-style log file, and a pure messagestore logfile.  See e.g.
> http://logreport.org/contact/lists/development/msg00438.php .  When
> generating reports, we could merge the information extracted from the
> two dlf's.  This would make it easy to show reports on failed
> authentications too.

For this, it would be better to use a multiple-events DLF schema
where the kind of event is represented by an event identifier (this was
proposed, offlist unfortunately, by Arnaud Taddei). Instead of using one
record to represent a session, one record could represent a failed
login, another a login attemp, another a stat event, etc. 
With the proposed DLF schema where one record represent a session, 
I think we cover some useful subset of what we can achieve with a
multiple-events-by-DLF solution by adding the fields I proposed, until
the other more complete solution is completely designed.

[...]
> 
> I would like to add your messagestore.xml to our CVS, if that's ok with
> you.  We could distribute it with next Lire release (or maybe the one
> after the feb 14 release.)  

Since we are that near to releasing, I think it's better to ship this in a
post-Feb14 release.


Francis J. Lacoste

-- 
Francis J. Lacoste              . .           http://www.logreport.org
/^LogReport$/               . .               flacoste at logreport.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.logreport.org/pipermail/development/attachments/20020209/1879797c/attachment.bin

More information about the Development mailing list