[Lognorm] Shuffling spaces
Rainer Gerhards
rgerhards at hq.adiscon.com
Sat Dec 3 20:47:03 CET 2011
It currently is named the "iptables" parser, but should handle general nv
pairs well. From the release announcement:
- special handling for iptables log via %iptables% parser added
(currently experimental pending practical verification)
Note that when the journald topic settles I want to release much more of
lognorm. That effort rather unexpectedly came into my way and thrashed all my
plans ;)
Rainer
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of James Lay
> Sent: Saturday, December 03, 2011 7:07 PM
> To: lognorm
> Subject: Re: [Lognorm] Shuffling spaces
>
> Hey Rainer....can you refresh my memory on the new name-value pair
> usage?
> I'll give that a go and see what the results are...thanks so much.
>
> James
>
> On 12/3/11 10:50 AM, "Rainer Gerhards" <rgerhards at hq.adiscon.com>
> wrote:
>
> >
> >
> >> -----Original Message-----
> >> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> >> bounces at lists.adiscon.com] On Behalf Of Lay, James
> >> Sent: Friday, December 02, 2011 7:08 PM
> >> To: lognorm at lists.adiscon.com
> >> Subject: [Lognorm] Shuffling spaces
> >>
> >> Hey all!
> >>
> >> So...I get to deal with annoying variances in some log
> entries...example
> >snips
> >> below:
> >>
> >> pri=1 rule=2 proto=10264/tcp
> >> pri=1 rule=2 proto=https
> >>
> >> pri=1 proto=47 src=
> >>
> >> The subtle spaces are interesting to deal with as I have to have,
> for
> >>the
> >first 2,
> >> separate rulebase rules like:
> >>
> >> %-:word% %-:word% %-:word%
> >> %-:word% %-:word% %-:word%
> >>
> >> Is there some functionality within lognorm to...I'm not sure how to
> >> ask..."ignore" spaces? An example below:
> >
> >No, that would cause backtracking again :( ... but I could add a
> syntax
> >"spaces" which would somewhat resolve that problem. However, this
> looks
> >like
> >something the new name-value pair syntax can do. Can't it?
> >
> >Rainer
> >>
> >>
> >> Rulebase:
> >>
> >> prefix=
> >> rule= %-:word% %-:word%
> >>
> >>
> >> log file:
> >>
> >> test test
> >> test test
> >>
> >>
> >>
> >> Just trying to minimize having to make many rules to match small
> >>changes.
> >> Thanks all!
> >>
> >> James
> >> _______________________________________________
> >> Lognorm mailing list
> >> Lognorm at lists.adiscon.com
> >> http://lists.adiscon.net/mailman/listinfo/lognorm
> >_______________________________________________
> >Lognorm mailing list
> >Lognorm at lists.adiscon.com
> >http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
More information about the Lognorm
mailing list