On Wed, 28 Nov 2012, Florian Riedl wrote:
Hi Marcin,
W dniu 22.11.2012 17:27, Rainer Gerhards pisze:
Hi Rainer, hi all!
Replying to myself...
I think you should tackle that beast from a different angle. Regex is
NOT the way to go here. Mmnormalize is - that's *the* use case for
that module. Just yesterday I have posted the relevant links to the
mailing list (in reply to a similar question). Please have a look at
the archive, I don't want to dig them out again (also, Google is good
at finding them).
I'll read about normalization, I'll be back in a couple of days.
Marcin, if you can provide some actual samples oft he messages you are
interested in, we can work together to create the rulebase. I could probably
create a tutorial out of that (if nothing decent enough exists). A link to Cisco
documentation describing the messages would also be useful.
Here are a couple of samples (with changed ip addresses):
2012-11-23T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8,
code=0 from 77.2.2.2 on interface outside
2012-11-23T10:47:43+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8,
code=0 from 77.2.2.2 on interface outside
2012-11-23T10:47:44+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8,
code=0 from 77.2.2.2 on interface outside
2012-11-23T10:49:30+01:00 0.0.0.0 : %ASA-4-400014: IDS:2004 ICMP echo
request from 1.4.7.7 to 41.10.8.18 on interface outside
2012-11-23T10:49:30+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8,
code=0 from 1.4.7.7 on interface outside
I am currently testing this case for Rainer and some things needed to be fixed
and others will be enhanced. With the current codebase, it is not really
possible to fill a variable with the first 3 or last 3 characters of a row of
characters as you described it in your first email. But Rainer is thinking of
something currently, so this might take a little while until it works.
In the meantime, I'd like to know, how many different log message you will need
to have normalized. In the above examples, there are only 2 types of messages
but they are already different enough.
Florian
As a datapoint, my current nightly log analysis scripts have specific calls
looking at the following codes fof Cisco ASA boxes
%ASA-2-106001 %ASA-3-106014 %ASA-3-710003 %ASA-4-106023 %ASA-4-106100
%ASA-4-313005 %ASA-5-304001 %ASA-6-106015 %ASA-6-106100 %ASA-6-110001
%ASA-6-110002 %ASA-6-302013 %ASA-6-302014 %ASA-6-302015 %ASA-6-302016
%ASA-6-302020 %ASA-6-302021 %ASA-6-609001 %ASA-6-609002 %ASA-7-609001
%ASA-7-609002 %ASA-7-710005
If I had time I would enhance this to deal with more
It's common for Cisco to have a half dozen different items with different line
formats that can be normalized together
for example, there are different log lines for the first packet of a message
flow depending on if it's TCP, UDP, ICMP, GRE, etc. And this is just with the IP
level logs, if you have it doing application level stuff you then get additional
logs that are protocol related
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
