SEC is a great tool for alerting on things in the logs. however it doesn't reformat the logs. it can be abused to do so (as you are seeing), but that is really not the right tool for the job.
I would suggest that you look at the capabilities of liblognorm and what rsyslog is doing with that in v6+. This is an efficient parsing engine, and they are paying really close attention t the CEE standards for what to name the various fields. David Lang On Mon, 12 Dec 2011, Alberto Cort?n wrote: > Date: Mon, 12 Dec 2011 15:01:36 +0100 > From: Alberto Cort?n <acor...@s21sec.com> > To: simple-evcorr-users@lists.sourceforge.net > Subject: [Simple-evcorr-users] Data normalization > > Hi, > > I would like to know if any of you have used SEC for normalizing log data. My > first approach to this was to generate normalized events like this: > > action = event > 'TIME=$1:::CODE=$3:::SRC_IP=$4:::SRC_PORT=$5:::DST_IP=$6:::DST_PORT=$7:::IFACE=$8:::PROTOCOL=$9:::ACTION=$10' > > and use a single pattern for generating the alerts > > pattern = > TIME=(.+?):::CODE=(.+?):::SRC_IP=(.+?):::SRC_PORT=(.+?):::DST_IP=(.+?):::DST_PORT=(.+?):::IFACE=(.+?):::PROTOCOL=(.+?):::ACTION=(.+?) > > But this list could grow up to twenty or more parameters, so you would need a > VERY large pattern for capturing the normalized events. Moreover, due to not > all the devices log the same info (sometimes there is no interface > information, for example) I would need to add several empty fields on almost > any action. > > Any thoughts or suggestions? > > Regards, > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
