[Lognorm] type:char-to: issues (?)
Rainer Gerhards
rgerhards at hq.adiscon.com
Tue Jan 18 18:37:41 CET 2011
It looks like you have mixed up you sample :) Please check. Will try to look
at it later today (but it is already close to 7p over here), else tomorrow
morning.
Rainer
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Softwink]
> Sent: Tuesday, January 18, 2011 6:34 PM
> To: lognorm at lists.adiscon.com
> Subject: [Lognorm] type:char-to: issues (?)
>
>
> I might have two issues coming up, but let me explain
> them one at a time: First (this is for DNS), here's my input from
> the syslog message:
>
> unexpected RCODE (REFUSED) resolving '1.0.168.192.in-
> addr.arpa/PTR/IN': 10.20.1.1#53
>
> Here's my rule:
>
> rule=: unexpected RCODE (SERVFAIL) resolving '%type:char-to:\x27%':
> %src-ip%ipv4#%src-port:number%
>
> Here's my normalized output:
>
> Normalize output: [cee at 115 originalmsg=" unexpected RCODE (SERVFAIL)
> resolving 'example.com/MX/IN': 66.197.215.181#53" unparsed-
> data=".197.215.181#53"]
>
> Not the "unparsed-data" (of course). I'd expect "type" to become
> "example.com/MX/IN". However, it's 'eating' through the first
> octet of the src-ip.
>
> While I was pretty sure it wouldn't work, I tried the new
> quoted-string, but as I expected that didn't work. I'm assuming
> quoted-string only handles "'s and not 's ? That might be a 'feature'
> to add to quoted-string as well.
>
> --
> Champ Clark III | Softwink, Inc | 800-538-9357 x 101
> http://www.softwink.com
>
> GPG Key ID: 58A2A58F
> Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
> If it wasn't for C, we'd be using BASI, PASAL and OBOL.
More information about the Lognorm
mailing list