[Lognorm] Shuffling spaces
Lay, James
james.lay at wincofoods.com
Fri Dec 2 19:08:29 CET 2011
Hey all!
So...I get to deal with annoying variances in some log entries...example
snips below:
pri=1 rule=2 proto=10264/tcp
pri=1 rule=2 proto=https
pri=1 proto=47 src=
The subtle spaces are interesting to deal with as I have to have, for
the first 2, separate rulebase rules like:
%-:word% %-:word% %-:word%
%-:word% %-:word% %-:word%
Is there some functionality within lognorm to...I'm not sure how to
ask..."ignore" spaces? An example below:
Rulebase:
prefix=
rule= %-:word% %-:word%
log file:
test test
test test
Just trying to minimize having to make many rules to match small
changes. Thanks all!
James
More information about the Lognorm
mailing list