[Phplogcon-dev] phplogcon without user managment

Brian Shea bgshea at gmail.com
Wed Dec 14 07:06:46 CET 2005 

Rainer,

I did some MySQL research on searching DB's. MySQL support Full Text Search
(http://dev.mysql.com/doc/refman/5.0/en/fulltext-boolean.html) Which works
well, I have not looked at MSSQL, unfortunately i cannot find an MSSQL
server to test SQL queries on.

Here is a good example SQL search

SELECT `Message`,`SysLogTag`, COUNT(`Message`)
FROM `SystemEvents`
WHERE MATCH(`Message`) AGAINST('+proftpd +(LOGIN no such user)' IN BOOLEAN
MODE)
GROUP BY(`SysLogTag`)

This works for my Messages and phpMyAdmin returns
 Message  SysLogTag  COUNT( `Message` )   proftpd[5035]: 192.168.1.2 (
64.42.157.76[64.42.157...   1011
(I hope you can view that okay, it's html)

For some reason the Syslog tag for proftpd is not placed in to the syslogtag
field (not too worried about it right now, maybe you could look into it tho)


So what that did for me is it found all messages that contained protfpd and
with any of the words (LOGIN, no ,such, user) <-- these are ORed

This works if you set FullText serach on the message fields. Also table must
be MyISAM. Please see (
http://dev.mysql.com/doc/refman/5.0/en/fulltext-restrictions.html)

The same query can be accomplished with this SQL statement
SELECT `Message`,`SysLogTag`, COUNT(`Message`)
FROM `SystemEvents`
WHERE (`Message` LIKE 'proftpd%')
AND (`Message` LIKE '%no%' OR
     `Message` LIKE '%such%' OR
     `Message` LIKE '%user%' OR
     `Message` LIKE '%LOGIN%')
GROUP BY(`SysLogTag`)

Which return 6 more messages not sure why, it might be picking  up single
word 'no' or 'such' that the first search would have droped.
 Message  SysLogTag  COUNT( `Message` )   proftpd[5035]: 192.168.1.2 (
64.42.157.76[64.42.157...   1017
This is probably more portable across SQL's but as you can see tougher to
write.

Last one, i promis:
This SQL Statement returns the same number as the first:

SELECT `Message`,`SysLogTag`, COUNT(`Message`)
FROM `SystemEvents`
WHERE (`Message` LIKE 'proftpd%')
AND (`Message` LIKE '%no such user%' OR
         `Message` LIKE '%LOGIN%')
GROUP BY(`SysLogTag`)

 Message  SysLogTag  COUNT( `Message` )   proftpd[5035]: 192.168.1.2 (
64.42.157.76[64.42.157...   1011
This was the intended result, all messages that contained 'proftpd' and the
phrase 'no such user' or 'proftpd' and the word 'LOGIN'

So, I guess my point is, we need a way to seperate pharses from single words
with boolean operators. For a first try!!!!

My suggestion, and it is only a suggestion, and i think it follows your same
thinking. Searches are entered as such

SEARCH: proftpd & ('no such user' | login)
SEARCH: proftpd & ("no such user" | login)
SEARCH: proftpd & (no such user | login)

treat all these the same, only assume ANDing/ORing when user specifies.

PLEASE NOTE single or double quotes will do the same thing. PLEASE!! that
will make things easier for everyone. Parenthsis are important. They can
follow the SQL syntax.

Since we read left to right, syntax will follow that thinking:

SEARCH: proftpd & no such user | login

would be the same as

SEARCH: (proftpd & "no such user") | login

Because I think that is how SQL will treat the AND OR in the Where clause.

-Brian

On 12/13/05, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
>
> Not sure about the google link, but "apples AND bananas", in my opinion
> should search for the literal "apples and bananes" but not "apples
> bananas". If I want the later, I'd say
>
> "apples" and "bananas"
>
> The double quotes are actually (in most such search engines) a tool to
> search for exact phrases. I am pretty sure the same applies to google
> (at least this is how I use it ;)).
>
> Rainer
>
> > -----Original Message-----
> > From: phplogcon-dev-bounces at lists.adiscon.com
> > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > Brian Shea
> > Sent: Tuesday, December 13, 2005 5:05 PM
> > To: phplogcon-dev at lists.adiscon.com
> > Subject: Re: [Phplogcon-dev] phplogcon without user managment
> >
> > Okay, that is something to think about. I'll have to look at
> > the google link
> > after work.
> >
> > Yeah, that was a generic message that should never be
> > displayed. I guess
> > they should have been different, probably just copy/pasted it
> > and forgot to
> > change the text.
> >
> > In DB_PEAR_sess_drv.php in line 155 that should have been
> > taken care of in
> > the config.php file
> >
> > if not, then that's where the fix needs to go, not in the
> > switch statement.
> > And should be done for each of the field constants.
> >
> > define'(_DBSESS_DATA_FIELD', _DBSESS_FIELD_PRE . "sess_data")
> >
> > Oh, there is a problem when session ids are passed in the
> > URL, the quick
> > filters dont work quite right. I'm not sure why.
> >
> > Thanks,
> > Brian
> >
> > On 12/13/05, Michael Meckelein <mmeckelein at hq.adiscon.com> wrote:
> > >
> > > Google Help Center -> Advanced Search Made Easy
> > > http://www.google.com/help/refinesearch.html
> > >
> > > Google does not care about "AND" operator. Google include all search
> > > terms by default. We should adapt this approach.
> > >
> > > This means
> > >
> > > > Okay, that sounds good, I think we should discuss the syntax:
> > > >
> > > > double quote designates the search pattern
> > > >
> > > > Message Contains:  "apple AND banana"
> > >
> > > Should be equal with "apple banana", shouldn't be?
> > >
> > > (just a site note, because it is interesting but has
> > nothing to do with
> > > phplogcon:
> > > http://www.google.com/search?q=apple+AND+banana
> > > and
> > > http://www.google.com/search?q=apple+banana
> > > have different result pages.)
> > >
> > > >
> > > > in this search the AND is not a literal and, but a search
> > modifier.
> > > Search
> > > > results will return events with both word: apple, banana
> > > >
> > > > Message Contains:  "apple 'AND' banana"
> > >
> > > We should use double quotes (") instead of single quote (')
> > like google.
> > > http://www.google.com/search?q=apple+%22and%22+banana
> > >
> > > >
> > > > in this search the AND is a literal and, which will be
> > included in the
> > > > search. Search results will return messages that contain
> > the entire
> > > "apple
> > > > and banana"
> > > >
> > > > Same goes for OR for the above.
> > >
> > > Ok.
> > >
> > > > Now the slightly more complicated part
> > > >
> > > > Message Contains: "red apples AND yellow bananas"
> > > >
> > > > The search should be preformed as such "red AND apples
> > AND yellow AND
> > > > bananas" Results will display all event with those words
> > >
> > > I would go on with this approach, because it is like Google.
> > >
> > > >
> > > > Or could be preformed as such:
> > > >
> > > > Message Contains: "red apples AND yellow bananas "
> > > >
> > > > The search will be preformed as such " 'red apples' AND 'yellow
> > > bananas' "
> > > > Results will contain all events with 'red apples' AND 'yellow
> > > bananas'.
> > > > But
> > > > not events like 'red delicious apples' or 'yellow
> > delicious bananas'
> > >
> > > If you want perform such a search you have to enclose with quotes.
> > >
> > http://www.google.com/search?q=%22red+apples%22+AND+%22yellow+
> > bananas%22
> > >
> > > Michael
> > >
> > > > PLEASE comment on the above.
> > > > -----
> > > >
> > > > If we try to tackle the first two on the list AND/OR, we
> > can build on
> > > it
> > > > from there, but changing the syntax from release to release might
> > > confuse
> > > > users, so we should figure out how the language is
> > interpreted. Maybe
> > > a
> > > > few
> > > > google searches to see how google interprets things might
> > be a good
> > > place
> > > > to
> > > > start.
> > > >
> > > > I might be able to hack out a simple searcher tonight,
> > nothing that
> > > could
> > > > be
> > > > used in phpLogCon, but enought to show how to start processing the
> > > search
> > > > terms.
> > > >
> > > > Brian
> > > >
> > > > On 12/13/05, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> > > > >
> > > > > That sounds pretty interesting. If we can offload some work to a
> > > > > standard library, that is helpful in many cases
> > (assuming that the
> > > > > library is a good one, of course ;)).
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: phplogcon-dev-bounces at lists.adiscon.com
> > > > > > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > > > > > Brian Shea
> > > > > > Sent: Tuesday, December 13, 2005 1:27 AM
> > > > > > To: phplogcon-dev at lists.adiscon.com
> > > > > > Subject: Re: [Phplogcon-dev] phplogcon without user managment
> > > > > >
> > > > > > So what do you think of the 1.2.6_bgs?
> > > > > >
> > > > > > You can use as much/little as you want and i can help put
> > > > > > what you need into
> > > > > > 1.2.1/1.2.2.
> > > > > >
> > > > > > Also, i played with the Auth_PrefManager from PEAR, it works
> > > > > > okay maybe that
> > > > > > sould be considered for a futur release of phpLogCon along
> > > > > > with PEAR:DB
> > > > > > which works nicely.
> > > > > >
> > > > > > PEAR::Auth_PrefManager lacks one function
> > > > > > Auth_PrefManager::getUserPrefs(
> > > > > > string userId ).  Otherwise it would work great for all the
> > > > > > Quick filters
> > > > > > and definable filters, and maybe even supporting multiple
> > > > > > DB's/Tables for
> > > > > > log viewing.
> > > > > >
> > > > > > I'll probably write the function and email it to them.
> > > > > >
> > > > > > -Brian
> > > > > >
> > > > > > On 12/12/05, Michael Meckelein
> > <mmeckelein at hq.adiscon.com> wrote:
> > > > > > >
> > > > > > > > Michael, were you having trouble with the trailing slash
> > > > > > removal? If
> > > > > > > so
> > > > > > > > what
> > > > > > > > was the problem? we should fix it to work with
> > IIS and Apache.
> > > > > > >
> > > > > > > Just noticed, you have already fixed this issue in
> > > > > > phplogcon-1.2.6_bgs
> > > > > > > :-)
> > > > > > >
> > > > > > > Michael
> > > > > > > _______________________________________________
> > > > > > > Phplogcon-dev mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > > > > >
> > > > > > _______________________________________________
> > > > > > Phplogcon-dev mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > > > >
> > > > > _______________________________________________
> > > > > Phplogcon-dev mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > > >
> > > > _______________________________________________
> > > > Phplogcon-dev mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > _______________________________________________
> > > Phplogcon-dev mailing list
> > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > >
> > _______________________________________________
> > Phplogcon-dev mailing list
> > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> >
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
>

More information about the Phplogcon-dev mailing list