On Thursday, March 02, 2006 12:39 PM [EDT],
Aengus <[EMAIL PROTECTED]> wrote:
> On Thursday, March 02, 2006 11:13 AM [EDT],
> Obi-Wan <[EMAIL PROTECTED]> wrote:
>
>>> Okay, try this:
>>> HOSTALIAS REGEXP:172\.26\.(\d{1,3})\.(\d{1,3})$ $1.net
>>>
>>> This will give you an Organization Report that contains a list
>>> <3rdOctet>.net "organizations",
>>>
>>> eg if you have 22 hits from 172.26.147.12, and 36 hits from
>>> 172.26.147.108, then 147.net will be listed with 58 requests.
>>>
>>> If you need to identify indivdual hosts as well, use $2.$1.net
>>> instead.
>>>
>>> You have to use a known TLD as the suffix, unless you want to update
>>> Analogs .dom files
>>
>> Great! Thanks. I didn't know you could do regex in a HOSTALIAS.
>> Here's what I ended up doing:
>>
>> HOSTALIAS REGEXP:(\d+)\.(\d+)\.(\d+) $3.$2.$1.arpa
>
> As I can never get my head round regular expressions, what happened
> to the 4th octet? You haven't anchored your expression to the
> beginning or end of the host string. Is it "safe" to just ignore
> anything after the 3rd octet?
I guess so.
HOSTALIAS REGEXP:(\d+)\.(\d+)$ $1.net
does what my original suggestion did - provides an Organization report that
displays which subnets of a Class C "domain" are the source of traffic.
That's potentially very useful for someone analysing Intranet logs from an
organization large enough to use a Class C address. (Especially if DNS names
don't show site or department information).
Aengus
+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------
