[Lognorm] Matching problem
James Lay
jlay at slave-tothe-box.net
Fri Oct 28 20:24:16 CEST 2011
Hey all!
So..I've posted this on the Sagan mailling list, but I was told here might
be good as well since it's related to liblognorm. Here's the scoop below:
I've tried various version of the below...I just can't seem to get a match
on this. I've tried making almost everything that can have a possible
variable reflect it. as well as moving stuff into prefix= just to see what
happens...it's just not matching. Any one have any ideas? Thanks.
James
raw syslog entry:
Oct 28 11:13:48 gateway kernel: [110475.092235] New,invalid IN=ppp0
OUT= MAC= SRC=70.56.158.130 DST=my_ext_ip LEN=60 TOS=0x10 PREC=0x00
TTL=60 ID=55693 DF PROTO=TCP SPT=59786 DPT=23 WINDOW=14600 RES=0x00
SYN URGP=0
normalize rule:
prefix=[%garbage:number%.%garbage:number%] New,invalid IN=%int:word%
OUT= MAC=
rule=: SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%len:number% TOS=
%tos:number% PREC=%prec:word% TTL=%ttl:number% ID=%garbage:number% DF
PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% WINDOW=
%garbage:number% RES=%res:word% SYN URGP=%ugrp:number%
normalize debug:
[*] Normalize output: [cee at 115 originalmsg="[110475.092235\] New
\,invalid IN=ppp0 OUT= MAC= SRC=70.56.158.130 DST=my_ext_ip LEN=60
TOS=0x10 PREC=0x00 TTL=60 ID=55693 DF PROTO=TCP SPT=59786 DPT=23
WINDOW=14600 RES=0x00 SYN URGP=0 " unparsed-data="SRC=70.56.158.130
DST=my_ext_ip LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=55693 DF PROTO=TCP
SPT=59786 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 "]
More information about the Lognorm
mailing list