it looks like I screwed up in this commit... I must have "cleaned up" something that was useful ;) Will check...
> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rainer Gerhards > Sent: Thursday, December 02, 2010 6:27 PM > To: rsyslog-users > Subject: Re: [rsyslog] Fun with liblognorm / rsyslog > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Rainer Gerhards > > Sent: Thursday, December 02, 2010 5:15 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Fun with liblognorm / rsyslog > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Champ Clark III [Softwink] > > > Sent: Thursday, December 02, 2010 5:10 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Fun with liblognorm / rsyslog > > > > > > > It is! And I am well aware of it. In rsyslog, I have the same > > issue. > > > I think > > > > of something like a "common prefix" inside the sample db (maybe > > > rulebase is a > > > > better name, btw :)). That would be common to all rules, and only > > the > > > common > > > > prefix would need to be changed for different headers. It's not > > 100% > > > sorted > > > > out, there is still enough work to do on the core engine (needs > > more > > > parsers, > > > > parser priority, str optimizations). > > > > > > That makes sense, if I understand correctly. Basically some > > > way you can "tell" the library, Ie - "I only have the 'message' > > > portion, so apply the rule base to it, but only using the > 'message' > > > portion of the rule"? That sort of thing? > > > > simpler: the rule base (I tend to switch to this term ;)) will have > an > > extra > > entry, e.g. > > > > commonPrefix=<%PRI:PRI%>%date:date-rfc3164%... > > and > > rule=Port=%port%number%... > > > > and the process will combine the two while building the tree, like > > this: > > <%PRI:PRI%>%date:date-rfc3164%... rule=Port=%port%number%... > > > > And now that I wrote this, it's probably something to implement very > > soon, > > because it is pretty simple ;) Boils down to string concatenation. > > Said and done - I pushed the rsyslog work away, as this is more useful. > You > can now pull from git, the rule base (sample db) format has changed. > You can > now specify a common prefix, as I said. Sample: > > prefix=:%date:date-rfc3164% %host:word% %seqnum:number%: > %othseq:char-to:\x3a%: %%%tag:char-to:\x3a%: > rule=: Configured from console by %tty:word:% (%ip:ipv4%) > rule=: Authentication failure for %proto:word% req from host %ip:ipv4% > rule=: Interface %interface:char-to:,%, changed state to %state:word% > rule=: Line protocol on Interface %interface:char-to:,%, changed state > to > %state:word% > rule=: Attempted to connect to %servname:word% from %ip:ipv4% > > This is also much easier to read. Note that the first space is part of > the > sample. I did this to keep consistent with how rsyslog treats things in > regard to RFC3164. But you could also move it to the common prefix. > I'll > probably add also an "prefixextend" command so that a single ruleset > could > also handle that. > > Rainer > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
