In message <[email protected]>,
Risto Vaarandi writes:
>I've also been thinking about introducing optional named fields for custom
>patterns. For example, if in the first rule one writes
>
> action=createpattern SYSLOG HOST,PROGRAM,,MESSAGE
>
>then the HOST, PROGRAM and MESSAGE fields will be set to $1, $2 and $4,
>respectively. If in the second rule one writes
>
>pattern=SYSLOG MESSAGE,HOST
>
>the MESSAGE field will set $1 and the HOST field $2. This would allow for
>rearranging the variables if needed, and making them more readable.
>
>Note that once a new line is read from an input file and stored into input
>buffer, the SYSLOG pattern would cease to exist, and pattern=SYSLOG would
>evaluate false (until SYSLOG will be recreated with 'createpattern' action).
I like it. The named fields will make things much more readable, and
while flexibly setting $1, $2 ... is nice it would be even nicer to be
able to use the named fields directly. With:
type=Single
ptype=RegExp
pattern=([\w\-.]+) ([\w\-.]+)\[(\d+)\]: (.*)
desc=parse a syslog message
action=createpattern SYSLOG HOST,PROGRAM,,MESSAGE
You could specify:
type=Single
ptype=custom
pattern=SYSLOG
desc=Received syslog message %(MESSAGE) from host %(HOST)
action=logonly
rather than:
type=Single
ptype=custom
pattern=SYSLOG MESSAGE, HOST
desc=Received syslog message $1 from host $2
action=logonly
Also ideally I would like any pattern to be able to be assigned to
names and used immediately. Maybe something like:
type=Single
ptype=RegExp
pattern=([\w\-.]+) ([\w\-.]+)\[(\d+)\]: (.*)
rem = rather than an action, this takes place as soon as the pattern matches
assignment = SYSLOG HOST,PROGRAM,,MESSAGE
desc=parse a syslog message
action = write - parsed syslog message: %(HOST), %(PROGRAM), %(MESSAGE)
which allows the name assignment to be done in the command and used
for substitution in the same (or subsequent) command.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
