> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Champ Clark III [Softwink] > Sent: Thursday, December 02, 2010 5:10 PM > To: rsyslog-users > Subject: Re: [rsyslog] Fun with liblognorm / rsyslog > > > It is! And I am well aware of it. In rsyslog, I have the same issue. > I think > > of something like a "common prefix" inside the sample db (maybe > rulebase is a > > better name, btw :)). That would be common to all rules, and only the > common > > prefix would need to be changed for different headers. It's not 100% > sorted > > out, there is still enough work to do on the core engine (needs more > parsers, > > parser priority, str optimizations). > > That makes sense, if I understand correctly. Basically some > way you can "tell" the library, Ie - "I only have the 'message' > portion, so apply the rule base to it, but only using the 'message' > portion of the rule"? That sort of thing?
simpler: the rule base (I tend to switch to this term ;)) will have an extra entry, e.g. commonPrefix=<%PRI:PRI%>%date:date-rfc3164%... and rule=Port=%port%number%... and the process will combine the two while building the tree, like this: <%PRI:PRI%>%date:date-rfc3164%... rule=Port=%port%number%... And now that I wrote this, it's probably something to implement very soon, because it is pretty simple ;) Boils down to string concatenation. > > > Oh.. on more thing. Do you think it's to early to start > > > writing liblognorm rules? > > > > Depends... You will probably want to revisit the rules in a few > weeks, when > > we have more capabilities. But on the other hand, I need some > experience with > > building them, so that I know what does not work out. The current > parsers are > > extremely limited and some (word, char-to) are very generic. But if > that > > works, it will continue to work with new version. Wehn the classifier > is > > there (hopefully december), you will probably want to add > classification tags > > for easy filtering (if that matters for Sagan). > > Okay.. I understand. One more question, and this is more of a > future support sort of thing. I'm only asking because I'm wondering if > this was brought up with the CEE dictionary thing. You have things > like %ip:ipv4% and %port:number% . Do you have any idea if there will > eventually be something like a %ip:%ipv4:src% or %ip:ipv4:dst% type of > flags (same idea applying to %port:number%)? This might be useful, > for not only normalization, but XML and JSON output. Can you elaborate what you mean by %ip:ipv4:src%, I am not 100% sure I really understood... Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
