search

gchq / event-logging-schema

Event Logging is an XML Schema for describing the auditable events generated by computer systems, hardware devices and access control systems
Apache License 2.0
25 stars 6 forks source link

Certain ResourceComplexType values should be nonNegativeInteger not positiveInteger #5

Closed burnalting closed 7 years ago

burnalting commented 7 years ago

The ResourceComplexType sub-elements InboundSize, InboundContentSize, OutboundSize and OutboundContentSize which are transfer byte counts should be declared as xs:nonNegativeInteger rather than xs:positiveInteger to allow for zero byte counts which certain log sources return (e.g. Squid, Apache Httpd).

The RequestTime microsecond count should also be a xs:nonNegativeInteger for sometimes, certain log sources return 0 as the count due to resolution issues.

I realise that the absence of the element can indicate a zero size, but given the original log contains this value then perhaps the long term record should also contain the value. This is particularly important when exporting this information from Stroom to support an alternative capability that may expect a zero value given the original log contained them.

burnalting commented 7 years ago

Other counting sub-elements should also change based on source logs. For example, Windows provides a zero (0) value for both Page count and Byte count in certain printing events. Thus PrintJob/Pages, PrintJob/Pages and to be consistent, DocumentComplexType/Pages should also change from xs:positiveInteger to xs:nonNegativeInteger to allow zero text values.

at055612 commented 7 years ago

Fixed in v3.1.0