[Lognorm] type:char-to: issues (?)

Champ Clark III [Softwink] champ at softwink.com
Tue Jan 18 18:51:22 CET 2011 

On Tue, Jan 18, 2011 at 06:37:41PM +0100, Rainer Gerhards wrote:
> It looks like you have mixed up you sample :) Please check. Will try to look
> at it later today (but it is already close to 7p over here), else tomorrow
> morning.

	Yes,  I did.  It was actually two rules (one for REFUSED and other
for SERVFAIL).  Anyways,  I've revised it down to one rule.  Here's
the more accurate information:

rule=: unexpected RCODE %failcode:word% resolving '%type:char-to:\x27%': %src-ip%ipv4#%src-port:number%

Syslog input:

 unexpected RCODE (SERVFAIL) resolving '161.41.46.64.in-addr.arpa/PTR/IN': 209.97.206.2#53

Normalized Output:

Normalize output: [cee at 115 originalmsg=" unexpected RCODE (SERVFAIL) resolving '161.41.46.64.in-addr.arpa/PTR/IN': 192.197.212.68#53" unparsed-data=".197.212.68#53"]

	This might be user error somewhere.  On thing I have to tinker with
are things like "(%failcode:word%)" verses "%failcode:word%",  as spaces
seem to be the delimiter in the end.... Correct?


> 
> Rainer
> 
> > -----Original Message-----
> > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Softwink]
> > Sent: Tuesday, January 18, 2011 6:34 PM
> > To: lognorm at lists.adiscon.com
> > Subject: [Lognorm] type:char-to: issues (?)
> > 
> > 
> > 	I might have two issues coming up,  but let me explain
> > them one at a time:  First (this is for DNS),  here's my input from
> > the syslog message:
> > 
> >  unexpected RCODE (REFUSED) resolving '1.0.168.192.in-
> > addr.arpa/PTR/IN': 10.20.1.1#53
> > 
> > Here's my rule:
> > 
> > rule=: unexpected RCODE (SERVFAIL) resolving '%type:char-to:\x27%':
> > %src-ip%ipv4#%src-port:number%
> > 
> > Here's my normalized output:
> > 
> > Normalize output: [cee at 115 originalmsg=" unexpected RCODE (SERVFAIL)
> > resolving 'example.com/MX/IN': 66.197.215.181#53" unparsed-
> > data=".197.215.181#53"]
> > 
> > Not the "unparsed-data" (of course).  I'd expect "type" to become
> > "example.com/MX/IN".  However, it's 'eating' through the first
> > octet of the src-ip.
> > 
> > While I was pretty sure it wouldn't work, I tried the new
> > quoted-string,  but as I expected that didn't work.  I'm assuming
> > quoted-string only handles "'s and not 's ?  That might be a 'feature'
> > to add to quoted-string as well.
> > 
> > --
> >         Champ Clark III | Softwink, Inc | 800-538-9357 x 101
> >                      http://www.softwink.com
> > 
> > GPG Key ID: 58A2A58F
> > Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
> > If it wasn't for C, we'd be using BASI, PASAL and OBOL.
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

-- 
        Champ Clark III | Softwink, Inc | 800-538-9357 x 101
                     http://www.softwink.com

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20110118/ebe7f356/attachment.pgp>

More information about the Lognorm mailing list