2015-03-12 12:50 GMT+01:00 Rainer Gerhards <[email protected]>:
> 2015-02-04 13:52 GMT+01:00 David Lang <[email protected]>: > >> On Wed, 4 Feb 2015, singh.janmejay wrote: >> >> On Wed, Feb 4, 2015 at 7:17 AM, David Lang <[email protected]> wrote: >>> >>> as I'm spending a bunch of time making templates from cisco logs, a few >>>> thoughts on mmnormalize >>>> >>>> 1. It should probably set parsesuccess like mmjsonparse does >>>> >>>> >>> This will be very useful. >>> >>> >>> >>>> 2. it would be useful to have something like char-to that accepted >>>> multiple characters as the termination pattern. thanks to the addition >>>> of >>>> toeknize I was able to work around this ('flags FIN ACK on interface' >>>> where the number of flags listed is variable) >>>> >>>> >>> I felt the need for this too. I believe the recent string-to thing does >>> this? >>> >> >> I missed that. One thing that is wrong with liblognorm and mmnormalize is >> that the docs that are pointed to are horribly out of date and don't >> mention a lot of these capabilities. I cloned the source from github and >> was looking through it to find things, but apparently missed this one. >> >> > Mhh... I updated the web site to autoupdate from the repo doc. I just > checked and it looks fine. Do you really get the old doc? (the new one says > 1.1.1 for example). > > sorry -- I didn't realize the early mails were from Feb... Just discard my message ;) Rainer > Rainer > >> >>> >>>> 3. the number type should accept negative numbers, not just digits >>>> >>>> >>>> 4. it would be fantastic to be able to define custom types in the config >>>> >>>> example >>>> >>>> inside:1.2.3.4/56 is a pattern that happens a lot and I use >>>> %srciface:char-to:\x3a%\x3a%srcip:ipv4%/%srcport:number% and >>>> %dstiface:char-to:\x3a%\x3a%dstip:ipv4%/%dstport:number% to match this >>>> pattern >>>> >>>> , being able to define >>>> >>>> custom=info:%iface:char-to:\x3a%\x3a%ip:ipv4%/%port:number% >>>> >>>> and then use "%src:info% to %dst:info% instead of that full pattern and >>>> have the resulting json be >>>> { src : { iface : inside, ip : 1.2.3.4, port : 56 }, { dst... >>>> >>>> >>>> >>> Field type 'descent' does this, but not exactly in the same way. >>> >> >> does it? I understood it to just be calling another ruleset on the whole >> line (doc problem again) >> >> David Lang >> >> >> >>> >>>> 5. Going back to the 'or' question. It would be even better to be able >>>> to >>>> define this custom type as a set of patterns. >>>> >>>> while inside:1.2.3.4/56 is a common endpoint definition there are also >>>> 1.2.3.4/56 inside:1.2.3.4/56(string) inside/1.2.3.4 and 1.2.3.4 >>>> >>>> if you could define the custom type to be a list of patterns this would >>>> let you take advantage of the two-dimentional nature of JSON and >>>> simplify >>>> the ruleset considerably. >>>> >>>> It would also give you a good way to handle the 'or' for Apache logs for >>>> example defining one of the options as a constant '-' >>>> >>>> defining an 'or' instead each pattern is a horrible mess to try and >>>> understand, but if it's done by implementing a new type, I don't have a >>>> problem with it. >>>> >>>> David Lang >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>>> >>> >>> >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
