[Lognorm] Normalization changes?
Champ Clark III [Softwink]
champ at softwink.com
Wed Jun 8 19:50:35 CEST 2011
Hello,
Long time no see! :)
I just pulled down the liblognorm and associated libraries via git the
other day. I noticed that my old rules don't seem to be normalizing
the messages as they use to. This is, of course, within Sagan.
Here's the example rule:
prefix=
rule=: Invalid user %username:word% from %src-ip:ipv4%
When I run Sagan with normalization debugging enabled, I get:
Normalize output: [cee at 115 originalmsg="Invalid user asda from 10.2.25.50" unparsed-data="Invalid user asda from 10.2.25.50"]
I've tried messing around with the rule, but didn't have luck
with that. You'll note the prefix= it empty. Did the prefix
information change at some point and I missed it? My thought is that
since I've been out of the loop, perhaps I missed a change in the
liblognorm rule base (?). Thanks in advance...
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20110608/435b10f5/attachment.pgp>
More information about the Lognorm
mailing list