> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of David Lang > Sent: Friday, November 23, 2012 12:21 PM > To: rsyslog-users > Subject: Re: [rsyslog] Splitting and filtering Cisco logs > > On Fri, 23 Nov 2012, Rainer Gerhards wrote: > > >> From: [email protected] [mailto:rsyslog- > >> [email protected]] On Behalf Of Marcin Miroslaw > > >> I've forgot about links to docs. > >> http://www.ciscopress.com/articles/article.asp?p=424447&seqNum=2 > >> > http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logms > >> gs.html#wp1019931 > > > > Excellent! > >> > >> but I'm not familiar with Cisco, please don't ask too difficult > >> questions;) > > At this point, we really don't need to understand what the message > means. I asked for the doc so that I can lookup what type of parameter > to expect (it's syntax). This is what mmnormalize is concerned about. > > I am pretty familiar with Cisco logs, so I should be able to help > > The problem is that the format of any particular log message does not > correlate > with the other, similar log messages. In the past when I've had to deal > with > them, I've had to setup a parser for each message code. > > The good news is that the messages are well behaved at that point, so > once you > identify the %ASA number, you know exactly what the rest of the message > means.
I plan to do some tutorial (either in print or as a video [time saver...]) with that as a sample. I think normalization is becoming even more important with CEE being around. I hope to get things started next week and will definitely ask all questions that come up :) RAiner _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
