[Lognorm] Sonicwall Normalization tests & other....

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Jan 13 18:48:22 CET 2011 

> 	Yes,  quotestring would be a powerful one..  Here's what I mean
> about the "word"....  Assume you have this message:
> 
> msg="this is a test"
> 
> 	If my rule is:
> 
> msg="%w1:word %w2:word %w3:word% %w4:word%
> 
> 	The values will turn out like:
> 
> w1 = this
> w2 = is
> w3 = a
> w4 = test"
> 
> 	Note the "

It just occured to me that you can use char-to! Minimal doc:

http://www.liblognorm.com/files/manual/sampledatabase.htm

Rainer

> 
> 	The quotestring is great,  because then you can deal with multi-
> values within a string..  The question is,  do you do it:
> 
> msg="%string:quotestring%"
> 
> 	or
> 
> msg=%string:quotestring%
> 
> 	Probably doesn't matter.  Just need to make sure it's documented
> on "how" quotestring works.
> 
> 
> > probably, but I can't do much against this ;) (RFC3164 says it is
> not...)
> 
> 	My thought is syslog-ng is doing this wrong.  I might bring it
> up on the syslog-ng mailing list,  as I see no other way around this
> issue.  My other thought is that it'll lead to arguments that I really
> don't want to be a part of... We'll see.
> 
> > > 	Also,  without the CEE definitions,  I'm obviously "making up"
> > > field
> > > names as I go.   If you have any pointers to "real" CEE definitions
> of
> > > fields,
> > > that would help.  If I recall,   they haven't been
> finalized/released
> > > yet (?)
> >
> > still the same status. I think it takes another few weeks until this
> changes.
> > I suggest that in the interim we create a dictionary of field
> names/semantics
> > on liblognorm.org as an interim solution. The good news is that I
> could add
> > them as an alias to the then-finalized CEE dictionary and make libee
> replace
> > aliases with "the real thing". That means you do not need to change
> things
> > manually, at least at this level.
> >
> > I'll see that we setup an area for the dictionary on the website very
> soon. I
> > hope for your feedback on getting this right ;)
> 
> 	That sounds like a good idea.  I know nothing is finalized yet,
> but there enough work to be done that it wouldn't be good to wait
> around.
> 
> 	Oh,  you'll be getting feedback from me :)  My tests with the
> sonicwall rules has gone very well.  On a side note,  I'll be working
> with a new client soon (about 3 weeks) in an environment that pushes
> about 60-80 million log lines a day.   I'll be able to push
> Sagan/liblognorm in there for testing,  which should be really
> interesting.   Those numbers will likely go down a good bit,  as I
> suspect a lot of "crap" noise being injected.
> 
> 
> --
>         Champ Clark III | Softwink, Inc | 800-538-9357 x 101
>                      http://www.softwink.com
> 
> GPG Key ID: 58A2A58F
> Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
> If it wasn't for C, we'd be using BASI, PASAL and OBOL.

More information about the Lognorm mailing list