Hi Marcin, > > W dniu 22.11.2012 17:27, Rainer Gerhards pisze: > > Hi Rainer, hi all! > > > Replying to myself... > > > >> I think you should tackle that beast from a different angle. Regex is > >> NOT the way to go here. Mmnormalize is - that's *the* use case for > >> that module. Just yesterday I have posted the relevant links to the > >> mailing list (in reply to a similar question). Please have a look at > >> the archive, I don't want to dig them out again (also, Google is good > >> at finding them). > > I'll read about normalization, I'll be back in a couple of days. > > > Marcin, if you can provide some actual samples oft he messages you are > interested in, we can work together to create the rulebase. I could probably > create a tutorial out of that (if nothing decent enough exists). A link to > Cisco > documentation describing the messages would also be useful. > Here are a couple of samples (with changed ip addresses): > 2012-11-23T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, > code=0 from 77.2.2.2 on interface outside > 2012-11-23T10:47:43+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, > code=0 from 77.2.2.2 on interface outside > 2012-11-23T10:47:44+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, > code=0 from 77.2.2.2 on interface outside > 2012-11-23T10:49:30+01:00 0.0.0.0 : %ASA-4-400014: IDS:2004 ICMP echo > request from 1.4.7.7 to 41.10.8.18 on interface outside > 2012-11-23T10:49:30+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, > code=0 from 1.4.7.7 on interface outside >
I am currently testing this case for Rainer and some things needed to be fixed and others will be enhanced. With the current codebase, it is not really possible to fill a variable with the first 3 or last 3 characters of a row of characters as you described it in your first email. But Rainer is thinking of something currently, so this might take a little while until it works. In the meantime, I'd like to know, how many different log message you will need to have normalized. In the above examples, there are only 2 types of messages but they are already different enough. Florian _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
