[Lognorm] type:char-to: issues (?)
Champ Clark III [Softwink]
champ at softwink.com
Tue Jan 18 18:34:14 CET 2011
I might have two issues coming up, but let me explain
them one at a time: First (this is for DNS), here's my input from
the syslog message:
unexpected RCODE (REFUSED) resolving '1.0.168.192.in-addr.arpa/PTR/IN': 10.20.1.1#53
Here's my rule:
rule=: unexpected RCODE (SERVFAIL) resolving '%type:char-to:\x27%': %src-ip%ipv4#%src-port:number%
Here's my normalized output:
Normalize output: [cee at 115 originalmsg=" unexpected RCODE (SERVFAIL) resolving 'example.com/MX/IN': 66.197.215.181#53" unparsed-data=".197.215.181#53"]
Not the "unparsed-data" (of course). I'd expect "type" to become
"example.com/MX/IN". However, it's 'eating' through the first
octet of the src-ip.
While I was pretty sure it wouldn't work, I tried the new
quoted-string, but as I expected that didn't work. I'm assuming
quoted-string only handles "'s and not 's ? That might be a 'feature'
to add to quoted-string as well.
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20110118/08469266/attachment.pgp>
More information about the Lognorm
mailing list