a fast samples-based log normalization library
Branch: master
Clone or download

README

Liblognorm is a fast-samples based normalization library.

More information on liblognorm can be found at
    http://www.liblognorm.com

Liblognorm evolves since several years and was intially meant to be used primarily with
the Mitre CEE effort. Consequently, the initial version of liblognorm (0.x)
uses the libee CEE support library in its API.

As time evolved, the initial CEE schema underwent considerable change. Even
worse, Mitre lost funding for CEE. While the CEE ideas survived as part
of Red Hat-driven "Project Lumberjack", the data structures became greatly
simplified and JSON based. That effectively made libee obsolete (and also
in parts libestr, which was specifically written to support CEE's
initial requirement of embedded NUL chars in strings).

In 2013, Pavel Levshin converted liblognorm to native JSON, which helped
improve performance and simplicity for many client applications.
Unfortunately, this change broke interface compatibility (and there was
no way to avoid that, obviously...).

In 2015, most parts of liblognorm were redesigned and rewritten as part
of Rainer Gerhards' master thesis. For full technical details of how
liblognorm operates, and why it is so fast, please have a look at

https://www.researchgate.net/publication/310545144_Efficient_Normalization_of_IT_Log_Messages_under_Realtime_Conditions

The current library is the result of that effort. Application developers
are encouraged to switch to this version, as it provides the benefit of
a simpler API. This version is now being tracked by the git master branch.

However, if you need to stick to the old API, there is a git branch
liblognorm0, which contains the previous version of the library. This
branch is also maintained for important bug fixes, so it is safe to use.

We recommend that packagers create packages both for liblognorm0 and
liblognorm1. Note that liblognorm's development packages cannot
coexist on the same system as the PKGCONFIG system would get into
trouble. Adiscon's own packages follow this schema.