[Lognorm] type:char-to: issues (?)

Rainer Gerhards rgerhards at hq.adiscon.com
Tue Jan 18 18:59:28 CET 2011 

Mhhhh... on the other hand it is "unparsed" -- that can not be interference.
I Think I'll run it through the normalizer myself tomorrow morning...

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Softwink]
> Sent: Tuesday, January 18, 2011 6:58 PM
> To: lognorm
> Subject: Re: [Lognorm] type:char-to: issues (?)
> 
> On Tue, Jan 18, 2011 at 06:54:09PM +0100, Rainer Gerhards wrote:
> > I guess this is interference from some other rule. Can you try to use
> this
> > rule alone?
> 
> 	Yep..
> 
> 	Doing that now...
> 
> >
> > I think I should add the information which rule was meet, at least in
> debug
> > mode...
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Softwink]
> > > Sent: Tuesday, January 18, 2011 6:51 PM
> > > To: lognorm
> > > Subject: Re: [Lognorm] type:char-to: issues (?)
> > >
> > > On Tue, Jan 18, 2011 at 06:37:41PM +0100, Rainer Gerhards wrote:
> > > > It looks like you have mixed up you sample :) Please check. Will
> try
> > > to look
> > > > at it later today (but it is already close to 7p over here), else
> > > tomorrow
> > > > morning.
> > >
> > > 	Yes,  I did.  It was actually two rules (one for REFUSED and
> > > other
> > > for SERVFAIL).  Anyways,  I've revised it down to one rule.  Here's
> > > the more accurate information:
> > >
> > > rule=: unexpected RCODE %failcode:word% resolving '%type:char-
> > > to:\x27%': %src-ip%ipv4#%src-port:number%
> > >
> > > Syslog input:
> > >
> > >  unexpected RCODE (SERVFAIL) resolving '161.41.46.64.in-
> > > addr.arpa/PTR/IN': 209.97.206.2#53
> > >
> > > Normalized Output:
> > >
> > > Normalize output: [cee at 115 originalmsg=" unexpected RCODE
> (SERVFAIL)
> > > resolving '161.41.46.64.in-addr.arpa/PTR/IN': 192.197.212.68#53"
> > > unparsed-data=".197.212.68#53"]
> > >
> > > 	This might be user error somewhere.  On thing I have to tinker
> > > with
> > > are things like "(%failcode:word%)" verses "%failcode:word%",  as
> > > spaces
> > > seem to be the delimiter in the end.... Correct?
> > >
> > >
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> > > > > bounces at lists.adiscon.com] On Behalf Of Champ Clark III
> [Softwink]
> > > > > Sent: Tuesday, January 18, 2011 6:34 PM
> > > > > To: lognorm at lists.adiscon.com
> > > > > Subject: [Lognorm] type:char-to: issues (?)
> > > > >
> > > > >
> > > > > 	I might have two issues coming up,  but let me explain
> > > > > them one at a time:  First (this is for DNS),  here's my input
> from
> > > > > the syslog message:
> > > > >
> > > > >  unexpected RCODE (REFUSED) resolving '1.0.168.192.in-
> > > > > addr.arpa/PTR/IN': 10.20.1.1#53
> > > > >
> > > > > Here's my rule:
> > > > >
> > > > > rule=: unexpected RCODE (SERVFAIL) resolving '%type:char-
> to:\x27%':
> > > > > %src-ip%ipv4#%src-port:number%
> > > > >
> > > > > Here's my normalized output:
> > > > >
> > > > > Normalize output: [cee at 115 originalmsg=" unexpected RCODE
> > > (SERVFAIL)
> > > > > resolving 'example.com/MX/IN': 66.197.215.181#53" unparsed-
> > > > > data=".197.215.181#53"]
> > > > >
> > > > > Not the "unparsed-data" (of course).  I'd expect "type" to
> become
> > > > > "example.com/MX/IN".  However, it's 'eating' through the first
> > > > > octet of the src-ip.
> > > > >
> > > > > While I was pretty sure it wouldn't work, I tried the new
> > > > > quoted-string,  but as I expected that didn't work.  I'm
> assuming
> > > > > quoted-string only handles "'s and not 's ?  That might be a
> > > 'feature'
> > > > > to add to quoted-string as well.
> > > > >
> > > > > --
> > > > >         Champ Clark III | Softwink, Inc | 800-538-9357 x 101
> > > > >                      http://www.softwink.com
> > > > >
> > > > > GPG Key ID: 58A2A58F
> > > > > Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2
> > > A58F
> > > > > If it wasn't for C, we'd be using BASI, PASAL and OBOL.
> > > > _______________________________________________
> > > > Lognorm mailing list
> > > > Lognorm at lists.adiscon.com
> > > > http://lists.adiscon.net/mailman/listinfo/lognorm
> > >
> > > --
> > >         Champ Clark III | Softwink, Inc | 800-538-9357 x 101
> > >                      http://www.softwink.com
> > >
> > > GPG Key ID: 58A2A58F
> > > Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2
> A58F
> > > If it wasn't for C, we'd be using BASI, PASAL and OBOL.
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> 
> --
>         Champ Clark III | Softwink, Inc | 800-538-9357 x 101
>                      http://www.softwink.com
> 
> GPG Key ID: 58A2A58F
> Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
> If it wasn't for C, we'd be using BASI, PASAL and OBOL.

More information about the Lognorm mailing list