I attempted sawmill with a log done in KIWI with the format set to BSD. I had a line similar to your original line. KIWI did not recognize it. I went back to KIWI and set the format to Webtrends and the log lines now look as follows:
WTsyslog[2002-10-15 11:17:36 ip=10.20.0.1 pri=5] <149>Oct 15 11:27:00 id=firewall time="2002-10-15 11:27:00" fw="sat-gw" pri=5 msg="Accept outbound NAT" cat_action=pass cat_site="Unknown" dstname=www.graybeardoutdoors.com proto=http src=IP.REM.OV.ED srcport=1846 nat=65.240.65.98 natport=1846 dst=66.34.96.1 dstport=80 rule=8 op=GET arg=/forums/icons/biggrin.gif duration=48 sent=9349 rcvd=119334 This was immediately recognized as WELF by sawmill. Obviously this format is emulating the output of Webtrend's own syslog utility, but it seems to work fine. Chris Green -----Original Message----- From: david raistrick [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 11:17 AM To: Chris Green Cc: [EMAIL PROTECTED] Subject: RE: [gb-users] Re: R: [gb-users] WELF log format On Tue, 15 Oct 2002, Chris Green wrote: > People were having issues with KIWI syslog at some point here. The > default logging format for kiwi is its own format. You can set many > logging formats, include BSD Syslog and RAW. What exactly were you > removing from the BSD formatted logs that made it work? I can try > several different things with Kiwi until I get a format out of it that > works with all of the log parsing tools. I removed the date, time and hostname. A sample line: Old: Oct 10 00:00:59 gbhost id=firewall time="2002-10-10 00:00:59" fw="gbhost-ha-1" pri=5 msg="Accept inbound NAT tunnel" proto=http src=22.15.14.15 srcport=40699 nat=139.130.242.32 natport=80 dst=192.168.131.139 dstport=80 duration=25 sent=1016 rcvd=14549 New: id=firewall time="2002-10-10 00:00:59" fw="gbhost-ha-1" pri=5 msg="Accept inbound NAT tunnel" proto=http src=22.15.14.15 srcport=40699 nat=139.130.242.32 natport=80 dst=192.168.131.139 dstport=80 duration=25 sent=1016 rcvd=14549 thanks. ..david --- David Raistrick Systems Administrator - Global Technology Associates, Inc [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
