> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Champ Clark III [Softwink] > Sent: Thursday, December 02, 2010 5:25 PM > To: rsyslog-users > Subject: Re: [rsyslog] Fun with liblognorm / rsyslog > > > > Okay.. I understand. One more question, and this is more of a > > > future support sort of thing. I'm only asking because I'm > wondering if > > > this was brought up with the CEE dictionary thing. You have things > > > like %ip:ipv4% and %port:number% . Do you have any idea if there > will > > > eventually be something like a %ip:%ipv4:src% or %ip:ipv4:dst% type > of > > > flags (same idea applying to %port:number%)? This might be > useful, > > > for not only normalization, but XML and JSON output. > > > > Can you elaborate what you mean by %ip:ipv4:src%, I am not 100% sure > I really > > understood... > > Here's what I mean.. From an example Cisco PIX log (message > portion only). > > %PIX-7-710005: UDP request discarded from 192.168.20.45/53 to > %outside:192.168.20.208/37989 > > We have a source IP, destination IP, source port, destination > port. So an example rule might be: > > %PIX-7-710005: UDP request discarded from > %ip:ipv4:src%/%port:number:src% to > %outside:%ip:ipv4:dst%/%port:number:dst%
That would be %src-ip:ipv4%/%src-port:number% to %outside:%dst-ip:ipv4%/%dst-port:number% The idea is not that it is an IP field, but the field (name) should be quite specific. Rainer > > Does this make sense? Or is it outside to scope of things? > > -- > Champ Clark III | Softwink, Inc | 800-538-9357 x 101 > http://www.softwink.com > > GPG Key ID: 58A2A58F > Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F > If it wasn't for C, we'd be using BASI, PASAL and OBOL. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
