On Wed, Feb 4, 2015 at 6:22 PM, David Lang <[email protected]> wrote:
> On Wed, 4 Feb 2015, singh.janmejay wrote:
>
> On Wed, Feb 4, 2015 at 7:17 AM, David Lang <[email protected]> wrote:
>>
>> as I'm spending a bunch of time making templates from cisco logs, a few
>>> thoughts on mmnormalize
>>>
>>> 1. It should probably set parsesuccess like mmjsonparse does
>>>
>>>
>> This will be very useful.
>>
>>
>>
>>> 2. it would be useful to have something like char-to that accepted
>>> multiple characters as the termination pattern. thanks to the addition of
>>> toeknize I was able to work around this ('flags FIN ACK on interface'
>>> where the number of flags listed is variable)
>>>
>>>
>> I felt the need for this too. I believe the recent string-to thing does
>> this?
>>
>
> I missed that. One thing that is wrong with liblognorm and mmnormalize is
> that the docs that are pointed to are horribly out of date and don't
> mention a lot of these capabilities. I cloned the source from github and
> was looking through it to find things, but apparently missed this one.
>
>
This one: https://github.com/rsyslog/liblognorm/pull/20/files
>
>>
>>> 3. the number type should accept negative numbers, not just digits
>>>
>>>
>>> 4. it would be fantastic to be able to define custom types in the config
>>>
>>> example
>>>
>>> inside:1.2.3.4/56 is a pattern that happens a lot and I use
>>> %srciface:char-to:\x3a%\x3a%srcip:ipv4%/%srcport:number% and
>>> %dstiface:char-to:\x3a%\x3a%dstip:ipv4%/%dstport:number% to match this
>>> pattern
>>>
>>> , being able to define
>>>
>>> custom=info:%iface:char-to:\x3a%\x3a%ip:ipv4%/%port:number%
>>>
>>> and then use "%src:info% to %dst:info% instead of that full pattern and
>>> have the resulting json be
>>> { src : { iface : inside, ip : 1.2.3.4, port : 56 }, { dst...
>>>
>>>
>>>
>> Field type 'descent' does this, but not exactly in the same way.
>>
>
> does it? I understood it to just be calling another ruleset on the whole
> line (doc problem again)
>
It allows field to identify how remaining-text should be returned, which
allows it to be parsed by remaining part of the rule which the field
belongs to.
Here is a test which uses something similar to what you are trying to do:
https://github.com/rsyslog/liblognorm/blob/master/tests/field_tokenized_recursive.sh#L41
(check 41 to EOF)
>
> David Lang
>
>
>
>>
>>> 5. Going back to the 'or' question. It would be even better to be able to
>>> define this custom type as a set of patterns.
>>>
>>> while inside:1.2.3.4/56 is a common endpoint definition there are also
>>> 1.2.3.4/56 inside:1.2.3.4/56(string) inside/1.2.3.4 and 1.2.3.4
>>>
>>> if you could define the custom type to be a list of patterns this would
>>> let you take advantage of the two-dimentional nature of JSON and simplify
>>> the ruleset considerably.
>>>
>>> It would also give you a good way to handle the 'or' for Apache logs for
>>> example defining one of the options as a constant '-'
>>>
>>> defining an 'or' instead each pattern is a horrible mess to try and
>>> understand, but if it's done by implementing a new type, I don't have a
>>> problem with it.
>>>
>>> David Lang
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>>
>>
>>
>>
>> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
--
Regards,
Janmejay
http://codehunk.wordpress.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
