I had a chance to build and play a bit with liblognorm. Rainer
has done some good work on it! It was fun to play with and here are
some of my initial thoughts.
First off, I was using a snapshots from the git repository for
libestr, libee and liblognorm. Compiling/building was pretty straight
forward. Untar the archives and run "autoreconf -vfi", and then run
"./configure && make && make install". When running 'autoreconf' with
liblognorm, it complains about the m4 directory not existing. Not a
big deal, simply create it and re-run 'autoreconf'.
Once everything was built, I started playing with Rainer's
'normalizer' example that ships with liblognorm. That was sort of nice
to have to 'tie everything' together. It basically takes the log input
via stdin and you point it to a log normalizer repository with the -r
flag.. This program (well, wrapper) is in the liblognorm/src
directory. You'd run it like this, assuming you're in the
liblognorm/src directory...
cat log-messages | ./normalizer -r ../sample-db/messages.sampdb
In the 'samble-db' are sort of the 'rules' for parsing. I wrote
a couple of test 'rules' just to play. Here's a quick little NTP rule
I wrote:
:%date:date-rfc3164% %host:word% %tag:char-to:\x3a%: synchronized to %ip:ipv4%
My syslog "input" is..
Dec 1 14:10:11 testbox ntpd[3821]: synchronized to 192.168.0.10
Here's the normlizer output:
To normalize: 'Dec 1 14:10:11 testbox ntpd[3821]: synchronized to 192.168.0.1'
normalized: '[...@... ip="192.168.0.1" tag="ntpd[3821\]" host="testbox"
date="Dec 1 14:10:11"]'
So, that work nicely. Nifty. I made a few more 'complex'
rules, and those worked fine as well. However, if the rule is off a
bit, then you've got issue. Here's what I mean.. Back on my example
above.. If this:
Dec 1 14:10:11 testbox ntpd[3821]: synchronized to 192.168.0.10
changes to this:
Dec 1 14:10:11 testbox ntpd[3821]: synchronized to 192.168.0.10, stratium 1
The 'normalizer' will call the ",stratium 1" part of the message as
"unclassified". However, it doesn't appear that it'll grab the IP
address, tag, etc.
Also, I thing the "real work" is going to be writing rules. That's
going to take some effort, in which I hope to assist with.
Anyways, just wanted to share my brief bit of playing with liblognorm.
It looks very promising! I'm hoping to start playing with some test
Sagan + liblognorm code.. just for fun. :)
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
pgpFjLQ69ANTS.pgp
Description: PGP signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
