[Lognorm] Issues with :'s in fields (?)

Champ Clark III [Quadrant Information Security] cclark at quadrantsec.com
Mon Nov 7 22:35:35 CET 2011 

	
	Howdy all, 

	I'm noticing a strange issue when I'm having to deal with
Sonicwall logs.  Here's the run down. 

The log lines look like this: 

id=firewall sn=001111111111 time="2011-11-07 21:23:04 UTC" fw=192.168.1.1 pri=3 c=4 m=14 msg="Web site access denied" n=0 src=10.110.14.117:54426:X0: dst=216.163.137.68:80:X1: dstname=www.playboy.com arg=/ code=4 Category="Pornography" 

	I'm trying to parse the src-ip/dst-ip & src-port/dst-port.  Those are
the most important to me.  This is the rule I'm using (no prefix as of
yet):

rule=: id=%id:word% sn=%sn:word% time="%time:char-to:\x22%" fw=%fw:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg="%msg:char-to:\x22%" n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%inteface:word%: dst=%dst-ip:ipv4%:%interface:word%:  dstname=%website:word% arg=%arg:word% code=%code:number% Category="%cat:char-to:\x22%" 

	When I run it,  with liblognorm debugging,  I get:

[*] Normalize output: [cee at 115 originalmsg=" id=firewall sn=001111111111 time=\"2011-11-07 21:22:24 UTC\" fw=192.168.1.1 pri=3 c=4 m=14 msg=\"Web site access denied\" n=0 src=10.110.14.117:24423:X0: dst=216.163.137.68:80:X1: dstname=www.playboy.com arg=/ code=4 Category=\"Pornography\" " unparsed-data=" dst=216.163.137.68:80:X1: dstname=www.playboy.com arg=/ code=4 Category=\"Pornography\" "]

	No matter how I move around the rule,  the "dst=" always comes
back unparsed.  I'll look at it more tonight,  but my thought is that
the :'s fields might be messing things up.  What do you think?  Thanks. 

	Oh - Rainer,  I'll test out that new liblognorm feature ASAP. 

-- 

   Champ Clark III | Quadrant Information Security | 904-253-7856
                      http://www.quadrantsec.com


GPG Key ID: 0B30A6A7
Key fingerprint = A154 17D5 F16D 8C09 69FA  618B 3877 B04C 0B30 A6A7
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111107/84e992f5/attachment.pgp>

More information about the Lognorm mailing list