Thank you, David, has done well describing the challenges with having so many fields, and that a prefix would only provide an or condition up to the first discrepancy. If there are a LOT of fields, and most can have a different type default value. Or more specifically, if there was another type for char or string literal. Apache logs, proxy logs, and Windows event logs all have fields which could potentially be populated with specific type cast data, or have some other type cast for the value it spits out for indicating data is not populated, to maintain formatting or whatever reason, it could be an IP Address or a hyphen.
Also for windows event logs, I've encountered cases where there could be an additional space for the empty field, which regardless of the substituted typecasting, this mechanism may not support switch every any type to any type, but things that make sense, and possibly, a default so if defined type fails, would be word, might work alright, unless more strict rules are required in which you would need to define an exact match for the literal character "-" or " " maybe in \xHex value notation, for chars, or even a string literal. -Kendall On Tue, Jan 27, 2015 at 6:08 PM, David Lang <[email protected]> wrote: > On Wed, 28 Jan 2015, singh.janmejay wrote: > > May be it'll be useful to discuss what you want to achieve with such >> representations of sample. I mean if possible, take a few samples from >> your >> existing rulebase which you think highlight the problem(s) you are facing. >> > > I think the example is the Apache logs, where Apache either puts a value, > or it puts a placeholder '-' > > if you want to capture a specific type (number or ip address for example), > you won't match a log entry that has a - in that field. > > If there are only a couple fields that are like this, you can list all the > combinations in the ruleset, but if you have a lot of fields like this, the > combinatorial explosion would make for a LOT of rules. > > So I don't think he really needs a generic 'or' allowing any types to be > combined as much as a way to say "this field could be this type or this > constant" > > David Lang > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
