[Lognorm] Identifying message types
Rainer Gerhards
rgerhards at hq.adiscon.com
Tue Mar 22 10:37:49 CET 2011
Hi Wladimir,
This is a good question and you are abosultely right -- this is currently
missing. In fact, the speace in front of the colon inside the rulebase is
reserved for tags, which is the classification you are looking for.
Liblognorm is in its infancy, though already quite useful in its current
state. I have paused development a bit for two reasons:
a) CEE needs to sort out some things -- I'd prefer to have some issues solved
before continuing (and re-doing some work).
b) devel prio -- right now I am working hard on getting a new stable v5
rsyslog out, and this is taking quite some toll
The feature you are asking for is definitely on the today list, and I hope to
be able to work more on liblognorm within the next couple of weeks (this year
has been very busy - and will be - at least until mid-april).
Rainer
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Wladimir van der Laan
> Sent: Monday, March 21, 2011 7:00 PM
> To: lognorm at lists.adiscon.com
> Subject: [Lognorm] Identifying message types
>
> Hello,
>
> I have a question about the usage of lognorm. As I understand, the
> program extracts data fields from log messages in text format, by means
> of examples from a ruleset file. The output is represented as metadata
> key/value pairs.
>
> But as far as I can see, it outputs no identifier as to what kind of
> message the log line represents. For automated log processing, one
> would also need to identify the message, for example, as failed
> authentication, or dhcp request, etc.
>
> Am I overlooking something? Is it possible to add a message type field
> in a ruleset?
>
> Greetings,
> Wladimir
>
More information about the Lognorm
mailing list