Re: [analog-help] Can Analog read Raptor firewall log

Mon, 22 May 2000 12:58:15 -0700 


Thanks Michael for the help. I did have parentheses around my original
Logformats but lost them somehow in editing
in one of my experiments. I added the parentheses and another %j.

 Now I get the error message  "bad argument in configuration command"
"time without date or vice versa".

Is this caused by the fact that the data in each line of the log only
contains the %M and %d and does not contain a year?

 In my previous message, I didn't show that there is a header line at the
top of the log, looks like this....
     May 16 00:00:00.620 xtranet changelog: 108 starting new log file. UTC
offset is
     -0400, Year is 2000, Raptor Firewall is 6.0.2, OS is "SunOS 5.6",
Platform is "sun4u"
Do I have to run this log thru one of the helper programs to put the date
on each line?
Thanks
Larry Theurer  SPX Corp







---------------------------------------------------------------------------------------------------------------------------------

Looks like you have the format right, except that the whole thing needs to
be in
parentheses.  And it looks like you need one more  %j on the end
Michael



----------------------------------------------------------------
> I'm trying to analyze a log from a firewall named Raptor.
> > I'm having a hard time determining what to use for a LOGFORMAT.
>
> Heres a example of my format
>  LOGFORMAT (%M %d %h:%n:%j %j httpd[%j]: %c %j: duration=%t %j %j rcvd=%b
%j
> src=%S/%j %j %j %j arg=%r %j %j %j)
>
> Heres a sample line of data from the log
> May 16 00:00:00.143 xtranet httpd[6110]: 121 Statistics: duration=0.34
> id=ywFFM
> sent=366 rcvd=64 srcif=qfe2 src=257.12.69.451/1237 dstif=le0
> dst=162.152.2.70/80
>  op=GET arg=http://www.401k.com/ result="304 Use local copy" proto=http
> rule=9
>
> thanks for any advice
> Larry Theurer SPX Corp
>





------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/[email protected]/
------------------------------------------------------------------------

Reply via email to