[Lognorm] Shuffling spaces
James Lay
jlay at slave-tothe-box.net
Mon Dec 5 19:36:28 CET 2011
Hey Rainer!
Hope the weekend was not too busy for you. So..I'm testing out the new
%iptables% stuff....and I'm just not sure where to really put it yet. Do
you have any examples using %iptables%? Thank you!
James
> It currently is named the "iptables" parser, but should handle general nv
> pairs well. From the release announcement:
>
> - special handling for iptables log via %iptables% parser added
> (currently experimental pending practical verification)
>
> Note that when the journald topic settles I want to release much more of
> lognorm. That effort rather unexpectedly came into my way and thrashed all
> my
> plans ;)
>
> Rainer
>
>> -----Original Message-----
>> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> bounces at lists.adiscon.com] On Behalf Of James Lay
>> Sent: Saturday, December 03, 2011 7:07 PM
>> To: lognorm
>> Subject: Re: [Lognorm] Shuffling spaces
>>
>> Hey Rainer....can you refresh my memory on the new name-value pair
>> usage?
>> I'll give that a go and see what the results are...thanks so much.
>>
>> James
>>
>> On 12/3/11 10:50 AM, "Rainer Gerhards" <rgerhards at hq.adiscon.com>
>> wrote:
>>
>> >
>> >
>> >> -----Original Message-----
>> >> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> >> bounces at lists.adiscon.com] On Behalf Of Lay, James
>> >> Sent: Friday, December 02, 2011 7:08 PM
>> >> To: lognorm at lists.adiscon.com
>> >> Subject: [Lognorm] Shuffling spaces
>> >>
>> >> Hey all!
>> >>
>> >> So...I get to deal with annoying variances in some log
>> entries...example
>> >snips
>> >> below:
>> >>
>> >> pri=1 rule=2 proto=10264/tcp
>> >> pri=1 rule=2 proto=https
>> >>
>> >> pri=1 proto=47 src=
>> >>
>> >> The subtle spaces are interesting to deal with as I have to have,
>> for
>> >>the
>> >first 2,
>> >> separate rulebase rules like:
>> >>
>> >> %-:word% %-:word% %-:word%
>> >> %-:word% %-:word% %-:word%
>> >>
>> >> Is there some functionality within lognorm to...I'm not sure how to
>> >> ask..."ignore" spaces? An example below:
>> >
>> >No, that would cause backtracking again :( ... but I could add a
>> syntax
>> >"spaces" which would somewhat resolve that problem. However, this
>> looks
>> >like
>> >something the new name-value pair syntax can do. Can't it?
>> >
>> >Rainer
>> >>
>> >>
>> >> Rulebase:
>> >>
>> >> prefix=
>> >> rule= %-:word% %-:word%
>> >>
>> >>
>> >> log file:
>> >>
>> >> test test
>> >> test test
>> >>
>> >>
>> >>
>> >> Just trying to minimize having to make many rules to match small
>> >>changes.
>> >> Thanks all!
>> >>
>> >> James
>> >> _______________________________________________
>> >> Lognorm mailing list
>> >> Lognorm at lists.adiscon.com
>> >> http://lists.adiscon.net/mailman/listinfo/lognorm
>> >_______________________________________________
>> >Lognorm mailing list
>> >Lognorm at lists.adiscon.com
>> >http://lists.adiscon.net/mailman/listinfo/lognorm
>>
>>
>> _______________________________________________
>> Lognorm mailing list
>> Lognorm at lists.adiscon.com
>> http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
More information about the Lognorm
mailing list