[Lognorm] Identifying message types
Wladimir van der Laan
laanwj at gmail.com
Tue Mar 22 12:33:02 CET 2011
Hello Rainer,
Thanks for the explanation. Looks like I was right in my feeling that this
was missing.
I understand your rationale to wait for CEE on this, though. I read their
spec, and they propose that the identification of a message includes object,
action and status. But they haven't defined exactly what these should be,
neither do they give any examples.
They still have quite a lot of definition work to to. Hopefully, it won't
take too long, a standard for logging is very badly needed, and the longer
it takes, the more developers will yet again come up with their own
solutions.
I'm currently classifying all kinds of events in Zenoss Core, and realized
that when I was defining regexp patterns I could just as well tell it how to
extract out the interesting information for analysis and more useful
presentation. Which is how I got to this project.
Wladimir
BTW: great work on rsyslog.
On Tue, Mar 22, 2011 at 10:37 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com>wrote:
> Hi Wladimir,
>
> This is a good question and you are abosultely right -- this is currently
> missing. In fact, the speace in front of the colon inside the rulebase is
> reserved for tags, which is the classification you are looking for.
> Liblognorm is in its infancy, though already quite useful in its current
> state. I have paused development a bit for two reasons:
>
> a) CEE needs to sort out some things -- I'd prefer to have some issues
> solved
> before continuing (and re-doing some work).
> b) devel prio -- right now I am working hard on getting a new stable v5
> rsyslog out, and this is taking quite some toll
>
> The feature you are asking for is definitely on the today list, and I hope
> to
> be able to work more on liblognorm within the next couple of weeks (this
> year
> has been very busy - and will be - at least until mid-april).
>
> Rainer
>
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > bounces at lists.adiscon.com] On Behalf Of Wladimir van der Laan
> > Sent: Monday, March 21, 2011 7:00 PM
> > To: lognorm at lists.adiscon.com
> > Subject: [Lognorm] Identifying message types
> >
> > Hello,
> >
> > I have a question about the usage of lognorm. As I understand, the
> > program extracts data fields from log messages in text format, by means
> > of examples from a ruleset file. The output is represented as metadata
> > key/value pairs.
> >
> > But as far as I can see, it outputs no identifier as to what kind of
> > message the log line represents. For automated log processing, one
> > would also need to identify the message, for example, as failed
> > authentication, or dhcp request, etc.
> >
> > Am I overlooking something? Is it possible to add a message type field
> > in a ruleset?
> >
> > Greetings,
> > Wladimir
> >
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20110322/2d5b03f4/attachment.htm>
More information about the Lognorm
mailing list