From champ at softwink.com Wed Jun 8 19:50:35 2011 From: champ at softwink.com (Champ Clark III [Softwink]) Date: Wed, 8 Jun 2011 13:50:35 -0400 Subject: [Lognorm] Normalization changes? Message-ID: <20110608175035.GA30788@bundy.vistech.net> Hello, Long time no see! :) I just pulled down the liblognorm and associated libraries via git the other day. I noticed that my old rules don't seem to be normalizing the messages as they use to. This is, of course, within Sagan. Here's the example rule: prefix= rule=: Invalid user %username:word% from %src-ip:ipv4% When I run Sagan with normalization debugging enabled, I get: Normalize output: [cee at 115 originalmsg="Invalid user asda from 10.2.25.50" unparsed-data="Invalid user asda from 10.2.25.50"] I've tried messing around with the rule, but didn't have luck with that. You'll note the prefix= it empty. Did the prefix information change at some point and I missed it? My thought is that since I've been out of the loop, perhaps I missed a change in the liblognorm rule base (?). Thanks in advance... -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From champ at softwink.com Sat Jun 11 22:17:29 2011 From: champ at softwink.com (Champ Clark III [Softwink]) Date: Sat, 11 Jun 2011 16:17:29 -0400 Subject: [Lognorm] Normalization changes? In-Reply-To: <20110608175035.GA30788@bundy.vistech.net> References: <20110608175035.GA30788@bundy.vistech.net> Message-ID: <20110611201729.GA1325@bundy.vistech.net> Nevermind, I got it figured out. It was a FIFO issue with Sagan. On a side note, how's development coming along with liblognorm? -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From rgerhards at hq.adiscon.com Tue Jun 14 13:06:53 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 14 Jun 2011 13:06:53 +0200 Subject: [Lognorm] Normalization changes? In-Reply-To: <20110611201729.GA1325@bundy.vistech.net> References: <20110608175035.GA30788@bundy.vistech.net> <20110611201729.GA1325@bundy.vistech.net> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7280E64@GRFEXC.intern.adiscon.com> I was away for a long weekend :) Regarding liblognorm, it actually currently does almost all I need. So my main focus is integration into rsyslog. I've planned some more development later the year, but it doesn't look to pressing right now (given the fact that CEE is also still unreleased). Feel free to propose useful stuff if there is a need :) Rainer > -----Original Message----- > From: lognorm-bounces at lists.adiscon.com [mailto:lognorm- > bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Softwink] > Sent: Saturday, June 11, 2011 10:17 PM > To: lognorm at lists.adiscon.com > Subject: Re: [Lognorm] Normalization changes? > > > > Nevermind, I got it figured out. It was a FIFO issue with > Sagan. > > On a side note, how's development coming along with liblognorm? > > -- > Champ Clark III | Softwink, Inc | 800-538-9357 x 101 > http://www.softwink.com > > GPG Key ID: 58A2A58F > Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it > wasn't for C, we'd be using BASI, PASAL and OBOL.